From: Walsh, Christina 


Sent: Thu, 26 Jan 2017 17:21:01 -0500 

To: Houston, Scott;Kletzly, Katrina;Kilgarriff, Laura 

Ce: Clunie, Peter;Murphy, Brenna;Thompson, Mardi;Bryant, Nathan;Cossairt, Tim 
Subject: 1652-NEW Certification of Identity (TSA Form 415) 

Attachments: Comment 5_Brian Zimmer_Keeping |Dentities Safe REAL ID.pdf, Comment 


1_Jeramie Scott_ EPIC-TSA-Real-ID.pdf, Comment 6_ Anonymous Document_Metadata-TSA-2013-0001- 
DRAFT-0028-01_26_2017-03_36_PM.pdf, Comment 7_Anonymous Document_Metadata-TSA-2013- 
0001-DRAFT-0027-01_26_2017-03_35_PM.pdf, Comment 2_ Ed Hasbrouck _ Identity Project (IDP).pdf, 
Comment 3_ lan Sharping_Cyber Privacy Project (CPP)_Real ID.pdf, Comment 4_Kara Templeton_PA 
Dept. of Transp..docx 


Hi All, 


Thanks for getting on the call today to discuss the 5 comments to the 60-day notice for 1652-NEW 
Certification of Identity (TSA Form 415). Also, Laura was able to get us the additional 2 comments from 
Regulations.gov. | have attached them to this email as Comments 6 and 7. Both comments were 
anonymous. 
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Katrina, 
Comment 6 is asking that the ICR be withdrawn because the commenter wasn’t able to see the form. 
\(o)(5) 

















Nathan & Laura, 
Px) The fact 
that a REAL ID compliant document exists but ts not present is not required by the act, does not enhance 
security, interferes with travelers’ constitutional right of travel, discriminates against travelers based on 
their state of residence (if certain states, through no fault of the traveler, opt not to comply with the 
REAL ID Act), and discriminates against travelers based on a host of other protected factors (including 
race) since certain groups are less likely to have ever obtained identification documents even if they live 
in REAL ID states.” Can you also take a stab at this? 





| will send out an invite for February 23, 2017 to discuss the finalization of the responses to the 
comments. 


Kind regards, 


Christina 


Christina A. Walsh 

Program Specialist 

Mission Support Division 

Office of Information Technology 
Transportation Security Administration 
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From: Gaudreau, Laura 


Sent: Thu, 12 Jan 2017 17:24:58 +0000 

To: Thompson, Mardi 

Subject: FW: 1652-NEW Certification of Identity (TSA Form 415) - 4 new comments to 
60DN submitted on deadline date 1/9/2017 

Attachments: EPIC Comments re: REAL ID Act Identity Verification Process [FR Doc. 2016- 


26958], Comments on TSA-2013-0001-0075 and petition for redress for information dissemination, 
Comment - Docket No. TSA-2013-001-0075, FR Doc. 2016-26958, submission of comment for Intent To 
Request Approval From OMB of One New Public Collection of Information: Certification of Identity Form 
(TSA Form 415), Comments in Response to DHS-2016-26958 


From: Walsh, Christina 
Sent: Tuesday, January 10, 2017 9:24 AM 




















To: Houston, Scott 4 3) |Goldman, Howard { exe) ] 
Kletzly, Katrina xe} Gaudreau, Laura Texte) ] 

Cc: Tadros, Anthony (CTR) <Anthony.Tadros@tsa.dhs.gov>; TSAPRA <TSAPRA@tsa.dhs.gov>; Anderson, 
Bruce{7 Pietra, Peter De 


Subject: 1652-NEW Certification of Identity (TSA Form 415) - 4 new comments to 60DN submitted on 
deadline date 1/9/2017 


Hi All, 
We received 4 new comments on January 9, 2017, the deadline for the submission of comments. | have 


attached the comments along with the previous comment from Andrew Meehan. | have also created 
the table below for tracking purposes: 
































Name Title Agency/Business | Contact Info Date of Type of 
Submission | Respons¢ 
1 | Jeramie D. | National Electronic (v6) 1/9/2017; Non- 
Scott Security Privacy 8:25pm media 
Counsel Information 
Director, Center (EPIC) 
Domestic 
Surveillance 
Project 
2 | Edward Consultant | The Identity xe) 1/9/2017; Non- 
Hasbrouck | to|IDP on Project (IDP) and 4:27pm media 
travel- The Cyber 
related Privacy Project 
issues 
3 | lan Consultant | Cyber Privacy (v6) 1/9/2017; Non- 
Sharping to CPP on_ | Project (CPP) 4:04pm media 
travel- and 





related 
issues 


Kara N. Director 
Templeton 


The 
Constitutional 
Alliance 

PA Department 
of 
Transportation, 
Bureau of Driver 
Licensing 





Andrew Policy 
Meehan Director 





Keeping 
\Dentities Safe 


weve) 





1/9/2017; 
10:03am 


12/9/2016; 
12:39pm 


We can discuss in depth on Thursday, January 12, 2017, 10-11:30am. Let me know if you have any 


questions. 

Kind regards, 
Christina 
Christina A. Walsh 


Program Specialist 
Mission Support Division 


Office of Information Technology 
Transportation Security Administration 





TSA/DHS Email:[ 
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Office 571-227[_ ©] 
Mobile(_ 
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media 


Media 
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From: Jeramie Scott 


Sent: Mon, 9 Jan 2017 20:23:20 -0500 

To: TSAPRA 

Ce: Marc Rotenberg;Kim Miller 

Subject: EPIC Comments re: REAL ID Act Identity Verification Process [FR Doc. 2016- 
26958] 

Attachments: EPIC-TSA-Real-ID-Comments-20170109.pdf 


Please find attached the comments of the Electronic Privacy Information Center (EPIC) re: REAL ID Act Identity 
Verification Process. 


Best regards, 
Jeramie 


Jeramie D. Scott 

National Security Counsel 

Director, EPIC Domestic Surveillance Project 
Electronic Privacy Information Center 


exe) 


Defend Privacy. Support EPIC. 
http://www.epic.org/donate/ 


epic.org ficiios 


COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER 
to the 
TRANSPORTATION SECURITY ADMINISTRATION 


Intent To Request Approval From OMB of One New Public Collection of Information: 
Certification of Identity Form (TSA Form 415) 


[Docket No. 2016-26958] 


January 9, 2017 


By notice published November 8, 2016 the Transportation Security Administration 
(“TSA”) requested public comments regarding the agency’s intent to request approval from the 
Office of Management and Budget (“OMB”) to collect information for a certification of identity 
form individuals who do not have a REAL ID that the DHS has deemed a “compliant” form of 
identification.' Pursuant to this notice, the Electronic Privacy Information Center (“EPIC”) 
recommends that the TSA not pursue the proposed information collection. Several states still 
rightly oppose REAL ID precisely because of the massive cost and the privacy concerns arising 
from the excessive collection of personal information by the federal government. The TSA’s 
proposal fails to address the underlying privacy objections to the REAL ID. 


EPIC is a public interest research center in Washington, D.C. EPIC was established in 





' Intent To Request Approval From OMB of One New Public Collection of Information: Certification of 
identity Form (TSA Form 415), 81 Fed. Reg. 78,623 (Nov. 8, 2016). 
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1994 to focus public attention on emerging privacy and human rights related issues, and to 
protect privacy, the First Amendment, and constitutional values. EPIC has considerable expertise 
analyzing the privacy and security risks attendant to the design and implementation of REAL ID. 
In 2007, EPIC filed comments on behalf of leading experts in privacy and technology in 
response to the draft regulations for REAL ID.’ At the time, we stated, “REAL ID is 
fundamentally flawed because it creates a national identification system. It cannot be fixed no 
matter what the implementation regulations say. Therefore, the REAL ID Act must be 


repealed.”* 


EPIC also highlighted the privacy and security risks of REAL ID as part of the 
“Spotlight on Surveillance” series.* EPIC also testified before the Department of Homeland 
Security’s (“DHS”) Data Privacy and Integrity Advisory Committee and explained that the 
REAL ID draft regulations impermissibly create a national identification system, prohibited by 
the law that established the DHS, and threaten national security and individual privacy.* In 2008, 
EPIC published a report detailing the significant costs of implementing REAL ID.° EPIC 
explained that “[DHS] [] believes that it can sweep aside the fact that REAL ID is an unfunded 


mandate by allocating $360 million to the States for REAL ID implementation...However, the 





? EPIC, Comments on DHS 2006-0030: Notice of Proposed Rulemaking: Minimum Standards for 
Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes (May 8, 
2007), http://www.epic.org/privacy/id_cards/epic_realid_comments.pdf. 

* EPIC and 24 Experts in Privacy and Technology, Comments on DHS 2006-0030: Notice of Proposed 
Rulemaking: Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal 
Agencies for Official Purposes (May 8, 2007) [hereinafter “EPIC Expert Comments on Draft 
Regulations”], http://www.epic.org/privacy/id_cards/epic_realid_comments.pdf. 

4 See EPIC, Federal REAL ID Proposal Threatens Privacy and Security (March 2007), 
http://epic.org/privacy/surveillance/spotlight/0307/. See also Anita Ramasastry, Why the New Department 
of Homeland Security REAL ID Act Regulations are Unrealistic: Risks of Privacy and Security Violations 
and Identity Theft Remain, and Burdens on the States Are Too Severe, Findlaw, Apr. 6, 2007, 
http://writ.news.findlaw.com/ramasastry/20070406.html. 

* Melissa Ngo, EPIC, Testimony and Statement for the Record at a Hearing Before the Data Privacy and 
Integrity Advisory Comm., Dep't of Homeland Sec. (Mar. 21, 2007), 
http://epic.org/privacy/id_cards/ngo_test_032107.pdf. 

® See EPIC, REAL ID Implementation Review: Few Benefits, Staggering Costs (May 2008), 
http://epic.org/privacy/id_cards/epic_realid_0508.pdf [hereinafter “EPIC 2008 Report”). 
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number still pales next to the agency’s ‘reduced’ estimate of $9.9 billion.”” Our concerns about 
the problems with REAL ID are widely shared by many other organizations.* 

We have attached to these comments both the 2007 and the 2008 Comments on REAL ID 
and ask they be included in the administrative record.” 

EPIC remains concerned that the REAL ID Act creates a national identification system, 
in violation of the DHS Act, and poses significant privacy risks to millions of individuals. 
Furthermore, TSA’s proposed collection of information will unduly burden millions of people in 
several states that have rightly chosen not to comply with the REAL ID Act. 

I History of Opposition to A National Identification System & REAL ID 

National identification cards have long been used to suppress minorities, track dissidents, 

and extend state authority.'° 
a. Historical Opposition to the Implementation of National Identification System 

The United States has always opposed the creation of a national identification system. 
When the Social Security Number (“SSN”) was created in 1936, it was meant to be used only as 
an account number associated with the administration of the Social Security system.'! Though 
use of the SSN has expanded considerably, it is not a universal identifier and efforts to make it 
one have been consistently rejected. In 1971, the Social Security Administration task force on the 


Social Security Number" declined to transform the number into an ID card.'? The Health, 


7 REAL ID Implementation Review: Few benefits, Staggering Costs, EPIC, May 2008, 
https://epic.org/privacy/id_cards/epic_realid_0508.pdf [hereinafter “EPIC 2008 Report”). 

“Speak Out Against REAL ID, THE PRIVACY COALITION, 

https://www. privacycoalition.org/stoprealid/. 

° See Appendix I and II. 

'° See generally, EPIC, National ID Cards and the REAL ID Act, http://www.epic.org/privacy/id_cards/. 
"' Dep’t of Health, Educ. & Welfare, Secretary’s Advisory Comm. on Automated Personal Data Systems, 
Records, Computers, and the Rights of Citizens 125-35 (MIT 1973) [hereinafter “HEW Report on Data 
Systems”], http://www.epic.org/privacy/hew 1973report/. 

"2 See generally, EPIC, Social Security Numbers, http://www.epic.org/privacy/ssn/. 
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Education and Welfare Secretary’s Advisory Committee on Automated Personal Data Systems 
in 1973 again rejected the creation of a national identifier and advocated the establishment of 
significant safeguards to protect personal data. The committee said: 


We recommend against the adoption of any nationwide, standard, personal 
identification format, with or without the SSN, that would enhance the likelihood 
of arbitrary or uncontrolled linkage of records about people, particularly between 
government or government-supported automated personal data systems. What is 
needed is a halt to the drift toward [a standard universal identifier] and prompt 
action to establish safeguards providing legal sanctions against abuses of 
automated personal data systems.'* 


The Federal Advisory Committee on False Identification also advised against the use of a 
national identifier in 1976.'° In 1977, the Privacy Protection Study Commission recommended 
against the adoption of a national ID system.'* In its report, Personal Privacy in an Information 
Society, the commission said that it: 

sees a clear danger that a government record system, such as that maintained by 

the Social Security Administration or the Internal Revenue Service, will become a 

de facto central population register unless prevented by conscious policy 

decisions. Therefore [...] the Federal government should act positively to halt the 

incremental drift toward creation of a standard universal label and central 

population register until laws and policies regarding the use of records about 

individuals are developed and shown to be effective.'” 

In Congressional testimony in 1981, Attorney General William French Smith stated that 


the Reagan administration was “explicitly opposed to the creation of a national identity card.”"* 


The Clinton administration advocated a “Health Security Card” in 1993 and assured the public 





' Soc. Sec. Admin., Soc. Sec. Number Task Force, Report to the Commissioner (May 1971). 

'* Dep’t of Health, Educ. & Welfare, Secretary’s Advisory Comm. on Automated Personal Data Systems, 
Records, Computers, and the Rights of Citizens 125-35 (MIT 1973) [hereinafter “HEW Report on Data 
Systems”], available at http://www.epic.org/privacy/hew1973report/. 

'S Dep’t of Justice, Fed. Advisory Comm. on False Identification, The Criminal Use of False 
Identification (Nov. 1976). 

'© Privacy Prot. Study Comm’n, Personal Privacy in an Information Society (July 1977) available at 
http://www.epic.org/privacy/ppsc1977report/. 

"Td. 

'S Robert B. Cullen, Administration Announcing Plan, ASSOCIATED PRESS, July 30, 1981. 
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that the card, issued to every American, would have “full protection for privacy and 
confidentiality.”'” Still, the idea was rejected and the card never was created. In 1999, Congress 
repealed a controversial provision in the Illegal Immigration Reform and Immigrant 
Responsibility Act of 1996 that authorized the inclusion of SSNs on driver’s licenses.”” 
b. State Opposition to the Implementation of REAL ID 

The DHS has repeatedly stated that REAL ID is not mandatory, however, REAL ID is 
not a “voluntary” program. In 2007, EPIC noted that “States are under considerable pressure to 
implement REAL ID and citizens who fail to carry the new identity document will find it 
impossible to pursue many routine activities.””! Furthermore, in issuing the final REAL ID rule 
DHS noted that it “believes that many States may find noncompliance an unattractive option” 
because the States would not be able to “maintain the conveniences enjoyed by their residents 
when using their State-issued driver’s licenses and non-driver identity cards for official purposes, 
particularly as it pertains to domestic air travel.””? Additionally, shortly before the passage of the 
Act a DHS spokesman stated that “[noncompliance with REAL ID] will mean real consequences 


for their citizens... if their leadership chooses not to comply.” 





° Press Release, White House Office of the Press Secretary, The Health Security Act Of 1993: Health 
Care That’s Always There (Sept. 22, 1993) available at http://www.clintonfoundation.org/legacy/092293- 
press-release-on-health-security-plan.htm. 

*° Illegal Immigration Reform and Immigrant Responsibility Act of 1996, Pub. L. No. 104-208, Div. C, 
Title III, § 309 (1996), amended by the Immigration and Naturalization Service Data Management 
Improvement Act of 2000, Pub. L. No. 106-215, 114 Stat. 337 (2000). 

2! EPIC and 24 Experts in Privacy and Technology, Comments on DHS 2006-0030: Notice of Proposed 
Rulemaking: Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal 
Agencies for Official Purposes (May 8, 2007) [hereinafter “EPIC Expert Comments on Draft 
Regulations”), available at http://www.epic.org/privacy/id_cards/epic_realid_comments.pdf. See 
Appendix II. at 3. 

» Final Rule, Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal 
Agencies for Official Purposes, 73 Fed. Reg. 5271, 5329 (Jan. 29, 2008) [hereinafter “REAL Final Rule”), 
available at http://edocket.access.gpo.gov/2008/08-140.htm. 

a Ryan Singel, Montana Governor Foments Real ID Rebellion, WIRED, Jan. 18, 2008, 
http://blog.wired.com/27bstroke6/2008/01/montana-governo. html. 
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At this point in time, those concerns have become a reality for some states as they 
currently face two options (1) comply with the REAL ID Act or (2) not comply and have their 
citizens secure alternative forms of identification in order to get on a plane.”* These two choices 
only allow one to come to the conclusion that REAL ID is a mandatory program as those states 
who do not comply with the DHS mandate will suffer consequences that are effectively penalties. 

Following the enactment of the REAL ID Act, at least 20 states enacted legislation 
opposing the REAL ID Act.”® While some of those states, under considerable pressure from the 
federal government, have modified earlier legislation,”° many still maintain opposition to REAL 
ID.”’ Part of the resistance to REAL ID from the states is because the costs of implementing 
REAL ID were, and remain, unfunded by the federal government and place a large burden on the 
states. However, in addition to concerns as to how states are to pay for implementing the Act, 
states also have significant privacy concerns as does the general public. 

Il. Privacy Risks Inherent in the REAL ID Act 


a. The Department of Homeland Security is not fulfilling their responsibility to 
protect privacy 


The DHS stated ten years ago that it is constrained in its power to protect the privacy of 
individuals and their data under the REAL ID Act. The agency claimed in the draft regulations 


that, “The Act does not include statutory language authorizing DHS to prescribe privacy 





4 Jad Mouawad, 7.8.4. Moves Closer to Rejecting Some State Driver's Licenses for Travel, NEW YORK 
TIMES, Dec. 28, 2015, http://www.nytimes.com/2015/12/29/business/tsa-moves-closer-to-rejecting- 
some-state-drivers-licenses-for-travel.html. 

°5 EPIC 2008 Report Appendix 1; State Legislative Activity in Opposition to the Real ID, NATIONAL 
CONFERENCE OF STATE LEGISLATURES, Jan. 2014, 
http://www.ncsl.org/documents/standcomm/sctran/REALIDComplianceReport.pdf. 

26 Garry Rayno, NH Senate Approves Bill Allowing Real ID Compliance, NEW HAMPSHIRE UNION 
LEADER, Apr. 14, 2016, http://www.unionleader.com/NH-Senate-approves-bill-allowing-Real-ID- 
compliance; Jim Harper, Once Again, REAL ID Is A National ID, CATO INSTITUTE, May 25, 2016, 
https://www.cato.org/blog/yes-real-id-national-id. 

27 Edward D. Murphy, Without Change In State Law, Maine IDs Won't Get Mainers Aboard Airplanes in 
2018, PRESS HERALD, Oct. 13, 2016, http://www.pressherald.com/2016/10/12/homeland-security- 
wont-extend-deadline-for-maine-compliance-with-federal-id-law/. 
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requirements for the state-controlled databases or data exchange necessary to implement the 
Act.”’* REAL ID creates a national identification system that affects 245 million license and 
cardholders nationwide, yet today the DHS has still failed to institute strong privacy safeguards 
in the system itself.”” The agency has the obligation to protect the privacy of individuals affected 
by this system and must do more than the feeble attempts set out in the Act. 

The Privacy Act of 1974 applies to the entire national identification system under 
guidelines set out by OMB and DHS.*” The OMB guidelines explain that the Privacy Act 
“stipulates that systems of records operated under contract or, in some instances, State or local 
governments operating under Federal mandate ‘by or on behalf of the agency . . . to accomplish 
an agency function’ are subject to .. . the Act.”*! The guidelines also explain that “systems 
‘maintained’ by an agency are not limited to those operated by agency personnel on agency 
premises but include certain systems operated pursuant to the terms of a contract to which the 


2 The REAL ID system is operated under a Federal mandate to accomplish 


agency is a party. 
several agency functions, including immigration control. 

Because the DHS has created this system, the agency must fully apply Privacy Act 
requirements of notice, access, correction, and judicially enforceable redress to the entire REAL 


ID national identification system. The REAL ID Acct states that individuals should attempt to 


exercise their rights to notice, access, correction and redress through State DMVs, the Social 





°8 Dep’t of Homeland Sec., Notice of Proposed Rulemaking: Minimum Standards for Driver's Licenses 
and Identification Cards Acceptable by Federal Agencies for Official Purposes, 72 Fed. Reg. 10,819, 
10,825 (Mar. 9, 2007) [hereinafter “REAL ID Draft Regulations”), 
http://edocket.access.gpo.gov/2007/07-1009.htm 

?°>EMERGENCY SUPPLEMENTAL APPROPRIATIONS ACT FOR DEFENSE, THE GLOBAL WAR 
ON TERROR, AND TSUNAMI RELIEF, 2005, 109 P.L. 13, 119 Stat. 231, 109 P.L. 13, 2005 Enacted 
H.R. 1268, 109 Enacted H.R. 1268; 6 C.F.R. 37.1 et. seq. 

*° EPIC Expert Comments on Draft Regulations, 6-12. 

*! Office of Mgmt. & Budget, Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 
28,948, 28,951 (July 9, 1975), http://www.whitehouse.gov/omb/inforeg/implementation_guidelines.pdf. 
” Id. 
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Security Administration, the Department of State, and the U.S. Citizenship and Immigration 
Service (a part of the Department of Homeland Security).** 

In enacting REAL ID, DHS has punted the issue of privacy to the States, but the agency 
needs to lead. Various questions remain, including important ones concerning redress. The right 
of redress must be judicially enforceable. The Privacy Act protections must be mandated in the 
REAL ID regulations in order for DHS to fulfill its obligations. 

b. Privacy Risks of REAL ID 

There are significant threats to individual privacy and security that would be created by 
unfettered access to REAL ID national identification system data.** Some of these problems are 
based on the design of the card, the information required to be stored on the cards, and the 
safeguards for the underlying databases. 

Under REAL ID, a substantial amount of personal information must be included on the 
card. This includes a full legal name, digital photograph, and signature that can be read by 
common machine readable technology and the information included on the card is not required 
to be encrypted. Prior to enactment, the DHS Privacy Office supported encryption “because 2D 
bar code readers are extremely common, the data could be captured from the driver’s licenses 
and identification cards and accessed by unauthorized third parties by simply reading the 2D bar 
code on the credential” if the data is left unencrypted.** There are many examples of 
unauthorized users being able to download data from unencrypted machine-readable 


technology.*° To protect privacy and improve security, this machine-readable technology must 





*) REAL Final Rule at 5284-5284, supra note 20. 

4 EPIC Expert Comments on Draft Regulations at 17-28, supra note 26. 

*5 Dep’t of Homeland Sec. Privacy Office, Privacy Impact Assessment for the REAL ID Act 16 (Mar. 1, 
2007), http://www.epic.org/privacy/id_cards/pia_030107.pdf. 

*° EPIC Expert Comments on Draft Regulations at 21-23. 
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either include encryption or access must be limited in some other form. Without required 
encryption, REAL ID leaves 245 million individuals at risk for individual tracking.*” 

DHS rejected encryption in the final rule because of “the complexities and costs of 
implementing an encryption infrastructure.”** DHS is required to include security protections on 
the REAL ID card. Under the REAL ID Act, the card must include “Physical security features 
designed to prevent tampering, counterfeiting, or duplication of the document for any fraudulent 
purpose.” The agency has this obligation and it should not abdicate this responsibility. If DHS 
does not seek to limit access to the data on the REAL ID card, then it is signaling that it is 
acceptable for third parties to download, access and store data for purposes beyond the three 
official purposes. 

Rejecting encryption for the 2D barcode helps to push the REAL ID system into 
“widespread” use in everyday life, a goal that former DHS Secretary Chertoff and the DHS final 
tule itself expect and support. Such an expansion would harm both individual privacy and 
security and quickly turn the United States into a country where the REAL ID national 
identification card is involuntarily carried by everyone. 

Furthermore, the amount of information contained on the REAL ID cards increases risks 
if the card is compromised. There are a number of “insider” and “outsider” threats to the massive 
identification database connecting 56 States and territories. Creating a national identification 
database containing personal data of 245 million State license and ID cardholders nationwide, 
one that would be accessible from a massive number of DMVs across the country, is an 
invitation for all criminals — whether identity thieves or terrorists — to break into just one of these 


entrance points to gather such data for misuse. 





*7 EPIC Expert Comments on Draft Regulations at 17-18. 
*S REAL Final Rule at 5292. 
*° REAL ID Act at §202(b)(8). 
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Such a system would also be at risk of abuse from authorized users, such as DMV 
employees, who are bribed or threatened into changing the system data or issuing “authentic” 
national identification cards. It is appropriate to note here that, on the day that DHS released the 
final regulations for REAL ID, “A Maryland Motor Vehicle Administration employee [...] and 
four others were indicted [ ] on charges that they made and sold fake State driver’s licenses and 
identification cards in exchange for money.”*° 

Identity theft continues to be one of the leading concerns for consumers.*! The FTC 
found that in 2015, the last year for which information is currently available, the number of 
identity theft claims they received increased by more than 47% than identity theft incidents 
reported in 2014.” Furthermore, identity theft has been one of the top consumer issues for the 
past fifteen years.” 

Large-scale data breaches have occurred in State DMVs across the country; if the 
databases are linked under REAL ID, these breaches will only grow in scale. The Oregon DMV 
lost half a million records in 2005.4 Also that year, in Georgia, a dishonest insider exposed 
465,000 records.** In 2011 a North Carolina DMV worker was charged with five counts of 
identity theft after she used DMV computers to obtain information to take out payday loans in 


other people’s names.** In 2014, the California DMV suffered a data breach where credit card 





*° Five indicted in identity theft scheme, BALTIMORE SUN, Jan. 11, 2008. 

* FTC Releases Annual Summary of Consumer Complaints, FEDERAL TRADE COMMISSION, Mar. 1, 
2016, https://www.ftc.gov/news-events/press-releases/20 | 6/03/ftc-releases-annual-summary-consumer- 
complaints. 


4377 
“Id. 
“ Privacy Rights Clearinghouse, A Chronology of Data Breaches, 
http://www. privacyrights.org/ar/ChronDataBreaches.htm. 
* Id. 
4° Sloane Heffernan, Charge: Worker Used DMV Computers for ID Theft, WRAL, Oct. 17, 2011, 
http://www. wral.com/news/local/story/10268291/. 
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information was compromised via their online payment system.*” In 2015, an Oregon man was 
able to download a list that contained a DMV list of identification numbers as well as federal 
income tax forms and was charged with 26 counts of aggravated identity theft.** The list goes on, 
and the personal information of individuals will be endangered under the REAL ID national 
identification system. 

Domestic violence survivors are particularly vulnerable to compromised data. Domestic 
violence survivors who flee their abusers, crossing into different States, would be exposed if 
their abuser breaches the security of any one of these 56 interconnected databases. “An abuser 
with an associate inside a State DMV, law enforcement, or other agency with access to the State 
records would be able to track a victim as the victim moves across the country.” 

The danger of negligent and accidental disclosures is increased by REAL ID, as 
substantially more government employees will have access to all motor vehicle records 
nationwide. This sort of inadvertence will happen much more frequently in a post-REAL ID 
world as the access to driver’s license information is spread throughout the national 


identification system. 





47 Sources: Credit Card breach at California DMV, KREBS ON SECURITY, Mar. 22, 2014, 
https://krebsonsecurity.com/2014/03/sources-credit-card-breach-at-california-dmv/. 

48 Brent Welsberg, Convicted ID Thief Found With ‘How To’ Guide, DMV Database, KOIN6, 
http://koin.com/2015/02/12/convicted-id-thief-found-with-how-to-guide-dmv-database/. 

* EPIC Expert Comments on Draft Regulations at 50, supra note 26. 
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c. Increased Risks Associated with Hacking 

In light of recent events there is even more reason to be concerned about the likelihood 
and effects of a data breach occurring of state DMV records. The federal government has been 
subject to a number of hacks in recent years which have been incredibly concerning to those 
affected by those hacks and the public at large. The lack of security features remain and show the 
risk of those states that chose to adopt the REAL ID requirements. 

Recently, government data breaches have been numerous and severe and have raised 
concerns surrounding the safety of data in the United States. In the past three years, data 
breaches have affected the Office of Personnel Management,°° Internal Revenue Service,° 1 
Federal Bureau of Investigation, and the DHS.” Overall, the number of government data 
breaches has exploded in the last decade, rising from 5,503 in 2006 to 67,168 in 2014.3 

These reports of hacking and data breaches are likely to be of further concern to state 
officials who are implementing, or are skeptical of, REAL ID in light of recent revelations of the 
USS. Intelligence Community. The intelligence community currently has information showing 
that a foreign government was responsible for hacks of the Democratic National Committee as 
well as the hacking of John Podesta’s email.** While the full nature and reasons behind the 2016 
°° Dan Goodin, Call it a “Data Rupture”: Hack Hitting OPM Affects 21.5 Million, ARSTECHNICA (July 9, 
2015), http://arstechnica.com/security/2015/07/call-it-a-data-rupture-hack-hitting-opm-affects-2 1-5- 
million/. 

5! Dan Goodin, Call it a “Data Rupture”: Hack Hitting OPM Affects 21.5 Million, ARSTECHNICA (July 9, 
2015), http://arstechnica.com/security/2015/07/call-it-a-data-rupture-hack-hitting-opm-affects-2 1-5- 
million/. 

2 Alexandra Burlacu, Teen Arrested Over DHS and FBI Data Hack, TECH TIMES (Feb. 13, 2016), 
http://www.techtimes.com/articles/133501/201602 13/teen-arrested-over-dhs-and-fbi-data-hack.htm. 
U.S. Gov’t Accountability Office, Federal Agencies Need to Better Protect Sensitive Data 4 (Nov. 17, 
2015), http://www.gao.gov/assets/680/673678.pdf. 

“4 Background to “Assessing Russian Activities and Intentions in Recent US Elections”: The Analytic 
Process and Cyber Incident Attribution, DIRECTOR OF NATIONAL INTELLIGENCE, Jan. 6, 2017, 
https://www.dni.gov/files/documents/ICA_2017_01.pdf. See also David Sanger & Charlie Savage, U.S. 


Says Russia Directed Hacks to Influence Elections, NEW YORK TIMES, Oct. 7, 2016, 
http://www.nytimes.com/2016/10/08/us/politics/us-formally-accuses-russia-of-stealing-dne-emails.html. 
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US Presidential Election hacks are still being investigated and debated, the event should give 
pause to any state official that is considering fully complying with the REAL ID Act. It is clear 
that large databases of personal information are attractive targets for the purposes of identity 
theft, blackmail, or in some cases simply for the challenge of hacking into a government 
database. 
III. | Undue Burden on States Who Continue to Oppose REAL ID 

The REAL ID Acct is an unfunded mandate that burdens states with numerous 
unnecessarily requirements.*> Several states continue to fight the implementation of REAL 1p.*° 
As such, the TSA has stated that individuals with drivers licenses and identification cards from 
states the DHS deems “non-compliant” will need alternative forms of identification in order to 
board airplanes.°’ Consequently, individuals in states that oppose REAL ID are far more likely to 
be inconvenienced at the airport under the proposed new form of information collection. 

In addition to the eight states that opposed REAL ID, there are several other whose 


citizens may also be subjected to the agency’s data collection requirements. For example, 


°° See Emma Dumain, Noncompliance with REAL ID Could Mean Real Trouble for S.C. Travelers, THE 
POST AND COURRIER, Oct. 30, 2016, http://www.postandcourier.com/news/noncompliance-with-real- 
id-could-mean-real-trouble-for-s/article_bf679418-9c7f- 1 le6-be47-5fa2c5 le2fff.html; Rachel E. Stassen- 
Berger, Minnesota Real ID Licenses Closer — But Still Far From Reality, TWIN CITIES PIONEER 
PRESS, May 17, 2016, http://www.twincities.com/2016/05/17/minnesota-real-id-licenses-legislature- 
closer-but-still-far-from-reality/; Dan Griffin, REAL ID Requirements Could Soon Pose Problems for 
Kentucky Air Travelers, WLWT, Jan. 4, 2017, http://www.wlwt.com/article/real-id-requirements-could- 
soon-pose-problems-for-kentucky-air-travelers/68958 10; Jack Suntrup, Missouri Lawmakers Being to 
Tackle Real ID Problem, ST. LOUIS POST-DISPATCH, Jan. 13, 2016, 
http://www.stltoday.com/news/local/govt-and-politics/missouri-lawmakers-begin-to-tackle-real-id- 
problem/article_83326247-9410-56c2-adf8-cf2f7821e03e.html; Denied: Oklahoma's request for Real ID 
Act Extension Denied, KFOR, Oct. 11, 2016, http://kfor.com/2016/10/11/denied-oklahomas-request-for- 
real-id-act-extension-denied/. 

°° REAL ID Enforcement in Brief, DEPARTMENT OF HOMELAND SECURITY, 
https://www.dhs.gov/real-id-enforcement-brief. 

57 REAL ID Frequently Asked Questions for the Public, DEPARTMENT OF HOMELAND SECURITY, 
https://www.dhs.gov/real-id-public-faqs#. 
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Montana has a law that prevents them from fully implementing the Act.°8 Additionally, states 
like New York and Oregon have been granted extensions and may or may not be fully 
“compliant,” according to the DHS, by 2018 which potentially puts them at risk as well of 
having to go through information collection practices when they go to the airport.” 

The proposed system creates a large problem for states that the DHS deems “non- 
compliant.” The TSA seeks to implement information collection practices that will burden 
millions of traveling individuals who hail from states that do not adhere to REAL ID 
requirements. Many of these individuals will likely be entirely unware that their identification is 
not satisfactory and that they will be subject to TSA information collection until they arrive at 
the airport. These individuals will be burdened not because they do not have identification, but 
because they have identification that the TSA refuses to accept. Furthermore, the proposed 
information collection system penalizes these people for the choices of their state legislators and 
other state officials who have expressed several valid concerns surrounding REAL ID. 
Individuals should not be punished when their state representatives have strong concerns about 
how REAL ID will impact their citizens to whom they are all accountable. 

Given the stresses that a number of people face when traveling it is entirely misguided to 
have travelers who do have driver's licenses or identification cards which, for years, have been 
acceptable documents to show to be able to board a plane. This is not an instance where 


individuals arrive at the airport with no proof of who they are, it is an instance of the DHS, 


°8 Feds Deny Montana Request to Delay Driver's License Law, BILLINGS GAZETTE, Nov. 22, 2016, 
http://billingsgazette.com/news/state-and-regional/montana/feds-deny-montana-request-to-delay-driver-s- 
license-law/article_bd75d4f3-8084-5 | fb-ab38-98eef440ba97. html. 

® Katherine Lam, New Yorkers Have Until 2018 to Fly Domestically with their NY State Driver's License, 
PIX11, Jan.9, 2016, http://pix 1 1.com/2016/01/09/new-yorkers-have-until-20 1 8-to-fly-domestically-with- 
their-ny-state-drivers-license/; Rachel La Corte, Update: What REAL ID Means for Washington State, 
THE SEATTLE TIMES, Apr. 10, 2016, http://www.seattletimes.com/life/travel/what-real-id-means-for- 
washington-state/. 
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through TSA, attempting to force states to comply with their wishes and has nothing to do with 
airport security. 
IV. Conclusion 

The REAL ID Acct still poses several concerns and challenges for states. It remains an 
unfunded federal mandate that exposes millions of individuals to threats of identity theft as well 
as having their information compromised and potentially exposed. Several states have chosen not 
to comply with the Act for reasons spanning from lack of federal funding, to opposition to a 
national identification system, and privacy concerns. The proposed information gathering of 
individual at airports essentially punishes citizens for actions that their state governments have 
taken to protect their privacy. 

EPIC urges the TSA to abandon the proposed information collection for individuals who 
do not possess a state driver’s license that fails to comply with the DHS’s view of “compliance”: 
the United State has long opposed national identification system, the privacy risks of REAL ID 
are substantial, and the States were correct to opposed a federal identity system not in the best 
interests of their citizens. 


Respectfully Submitted, 


Zs/ Marc ‘Rotenberg 
Marc Rotenberg 
EPIC President and Executive Director 


Ls/ Jeramie D. Scott 


Jeramie D. Scott 
EPIC National Security Counsel 


Ls/ Kim Miller 
Kim Miller 
EPIC Policy Fellow 
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I. INTRODUCTION 

By notice published on March 9, 2007, the Department of Homeland Security 
(“DHS”) announced it seeks to establish “minimum standards for State-issued driver’s 
licenses and identification cards that Federal agencies would accept for official purposes 
after May 11, 2008, in accordance with the REAL ID Act of 2005.”' Pursuant to this 
notice, the aforementioned group (“Coalition”) submits these comments to request the 
Department of Homeland Security recommend to Congress that REAL ID is unworkable 
and must be repealed. The REAL ID Act creates an illegal de facto national identification 
system filled with threats to privacy, security and civil liberties that cannot be solved, no 
matter what the implementation plan set out by the regulations.” And if REAL ID 
implementation does go forward, the protections of the Privacy Act of 1974 must be fully 
enforced for all uses of the data current and feature. Agencies should not be permitted to 
assert any exemptions and individuals must granted all rights, including the judicially 
enforceable right to access and correct their records and to ensure compliance with all of 
the requirements of the Privacy Act. 

The problematic adoption of the law now under consideration is now well known. 
The REAL ID Act was appended to a bill providing tsunami relief and military 


appropriations, and passed with little debate and no hearings. It was passed in this manner 





' Dep’t of Homeland Sec., Notice of Proposed Rulemaking: Minimum Standards for Driver's Licenses and 
Identification Cards Acceptable by Federal Agencies for Official Purposes, 72 Fed. Reg. 10,819 (Mar. 9, 
2007) (“REAL ID Draft Regulations”), available at 

http://a257.g.akamaitech.net/7/257/2422/0 1 jan2007 1 800/edocket.access.gpo.gov/2007/07-1009.htm; see 
generally, EPIC, National ID Cards and the REAL ID Act Page, http://www.epic.org/privacy/id_cards/; 
EPIC, Spotlight on Surveillance, Federal REAL ID Proposal Threatens Privacy and Security (Mar. 2007), 
http://www.epic.org/privacy/surveillance/spotlight/0307; Anita Ramasastry, Why the New Department of 
Homeland Security REAL ID Act Regulations are Unrealistic: Risks of Privacy and Security Violations and 
Identity Theft Remain, and Burdens on the States Are Too Severe, Findlaw, Apr. 6, 2007, available at 
http://writ.news.findlaw.com/ramasastry/20070406.html. 

* Pub. L. No. 109-13, 119 Stat. 231 (2005). 
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even though Republican and Democratic lawmakers in the Senate urged Senate Majority 
Leader Bill Frist to allow hearings on the bill and to permit a separate vote on the 
measure.’ The senators said they believe REAL ID “places an unrealistic and unfunded 
burden on state governments and erodes Americans’ civil liberties and privacy rights.”* 


The people could not speak during this rushed process. They are speaking now. 


II. | REAL ID CREATES A NATIONAL ID SYSTEM 

Throughout the history of the United States, its people have rejected the idea of a 
national identification system as abhorrent to freedom and democracy. The REAL ID Act 
and the draft regulations to implement it create a de facto national identification system, 
and the Act must be repealed. 

A. Americans Have Consistently Rejected a National ID System 

When the Social Security Number (SSN) was created in 1936, it was meant to be 
used only as an account number associated with the administration of the Social Security 
system.* Though use of the SSN has expanded considerably, it is not a universal identifier 
and efforts to make it one have been consistently rejected.° In 1973, the Health, 
Education and Welfare Secretary’s Advisory Committee on Automated Personal Data 
Systems rejected the creation of a national identifier and advocated the establishment of 


significant safeguards to protect personal information. The committee said: 





* Press Release, S. Comm. on Homeland Sec. & Governmental Affairs, Twelve Senators Urge Frist To 
Keep Real ID Act Off Supplemental Appropriations Bill Sweeping Proposal Needs Deliberate 
Consideration (Apr. 12, 2005), available at 
http://www.senate.gov/%7Egov_affairs/index.cfm?FuseAction=PressReleases.Detail&A ffiliation=R& Press 
Release_id=953& Month=4&Year=2005. 

“Id. 

* EPIC & PRIVACY INT'L, PRIVACY AND HUMAN RIGHTS: AN INTERNATIONAL SURVEY OF PRIVACY LAWS. 
AND PRACTICE 47 (EPIC 2004). 

° See Mare Rotenberg, Exec. Dir., EPIC, Testimony and Statement for the Record at a Hearing on Social 
Security Number High Risk Issues Before the Subcomm. on Social Sec., H. Comm on Ways & Means, 109th 
Cong. (Mar. 16, 2006), available at http://www .epic.org/privacy/ssn/mar_l6test.pdf; EPIC page on Social 
Security Numbers, http://www.epic.org/privacy/ssn/. 
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We recommend against the adoption of any nationwide, standard, personal 

identification format, with or without the SSN, that would enhance the 

likelihood of arbitrary or uncontrolled linkage of records about people, 

particularly between government or government-supported automated 

personal data systems. What is needed is a halt to the drift toward [a 

standard universal identifier] and prompt action to establish safeguards 

providing legal sanctions against abuses of automated personal data 

systems.’ 

In 1977, the Carter Administration reiterated that the SSN was not to become an 
identifier. In Congressional testimony in 1981, Attorney General William French Smith 
stated that the Reagan Administration was “explicitly opposed to the creation of a 


national identity card.”* 


When it created the Department of Homeland Security, Congress 
made clear in the enabling legislation that the agency could not create a national ID 
system.’ In September 2004, then-Department of Homeland Security Secretary Tom 
Ridge reiterated, “[t]he legislation that created the Department of Homeland Security was 
very specific on the question of a national ID card. They said there will be no national ID 


card.”"° The citizens of the United States have consistently rejected the idea of a national 
identification system. 
B. REAL ID Is Not Voluntary 
Supporters of REAL ID point to the legislation, which says that State 
implementation is “voluntary.” However, States are under considerable pressure to 
implement REAL ID and citizens who fail to carry the new identity document will find it 


impossible to pursue many routine activities, The administration has also pursued a 





7 Dep’t of Health, Educ. & Welfare, Sec’y’s Advisory Comm. on Automated Personal Data Systems, 
Records, Computers, and the Rights of Citizens (July 1973), available at 
http://www.epic.org/privacy/hew1973report/. 

* Robert B. Cullen, Administration Announcing Plan, Associated Press, July 30, 1981. 

° Pub. L. No. 107-296, 116 Stat. 2135 (2002). 

"Tom Ridge, Sec’y, Dep’t of Homeland Sec., Address at the Center for Transatlantic Relations at Johns 
Hopkins University: “Transatlantic Homeland Security Conference” (Sept. 13, 2004), available at 
http://www.dhs.gov/xnews/speeches/speech_0206.shtm. 
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heavy-handed assault on those who have raised legitimate questions about the efficacy, 
cost, and impact of the $23B program. Critics of REAL ID have been labeled anti- 
security. In Congressional testimony, a high-ranking DHS official said, “Any State or 
territory that does not comply increases the risk for the rest of the Nation.”"! It is not anti- 
security to reject a national identification system that does not add to our security 
protections, but in fact makes us weaker as a nation. This system is also an unfunded 
mandate that imposes an enormous burden upon the states and the citizenry. The federal 
government has estimated that REAL ID will cost $23.1 billion, but it has allocated only 
$40 million for implementation and has told the states that they may divert homeland 
security grant funding already allocated to other security programs for REAL ID."* 

Design standardization means that anyone with a different license or ID card 
would be instantly recognized, and immediately suspected. The Department of Homeland 
Security already contemplates expanding the REAL ID card into “everyday 
transactions.” It will be easy for insurance firms, credit card companies, even video 
stores, to demand a REAL ID driver’s license or ID card in order to receive services. 
Significant delay, complication and possibly harassment or discrimination would fall 
upon those without a REAL ID card. In actuality, the “voluntary” card is the centerpiece 
of a mandatory national identification system that the federal government seeks to 


impose on the states and the citizens of the United States. 





" Richard C. Barth, Ass’t Sec’y for Policy Development, Dep’t of Homeland Sec., Testimony at a Hearing 
on Understanding the Realities of REAL ID: A Review of Efforts to Secure Drivers’ Licenses and 
Identification Cards Before the Subcomm. on Oversight of Gov't Management, the Federal Workforce & 
the District of Columbia, S. Comm. on Homeland Sec. & Governmental Affairs, 110th Cong. (Mar. 26, 
2007) (“DHS Testimony at REAL ID Hearing”), available at 
http://hsgac.senate.gov/_files/Testimonybarth.pdf. 

"? REAL ID Draft Regulations at 10,845, supra note 1. 

"8 See Data Collection Expansion discussion, infra Section IX (DHS plans to expand uses of REAL ID). 
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C. Regulations Create a De Facto National ID System 

The Department of Homeland Security draft regulations would (1) impose more 
difficult standards for acceptable identification documents that could limit the ability of 
individuals to get a state drivers license; (2) compel data verification procedures that the 
Federal government itself is not capable of following; (3) mandate minimum data 
elements required on the face of and in the machine readable zone of the card; (4) require 
changes to the design of licenses and identification cards (5) expand schedules and 
procedures for retention and distribution of identification documents and other personal 
data; and (6) dictate security standards for the card, state motor vehicle facilities, and the 
personal data and documents collected in state motor vehicle databases. These regulations 
create a de facto national identification system. 

State licenses and identification cards must meet standards set out in the 
regulations to be accepted for Federal use. REAL ID cards will be necessary for: 
“accessing Federal facilities, boarding commercial aircraft, and entering nuclear power 
plants.”'* The Supreme Court has long recognized that citizens enjoy a constitutional 


right to travel. In Saenz v. Roe, the Court noted that the “‘constitutional right to travel 
from one State to another’ is firmly embedded in our jurisprudence.”'* For that reason, 
any government initiative that conditions the ability to travel upon the surrender of 
privacy rights requires particular scrutiny. This is particularly relevant under the REAL 


ID regulations, as they affect 245 million license and cardholders nationwide. REAL ID 


could preclude citizens from entering Federal courthouses to exercise their right to due 





' REAL ID Draft Regulations at 10,823, supra note 1. 
'S 526 U.S. 489 (1999), quoting United States v. Guest, 383 U.S. 745 (1966). 
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process, or from entering Federal agency buildings in order to receive their Social 
Security or veterans’ benefits. 

DHS may compel card design standardization, “whether a uniform design/color 
should be implemented nationwide for non-REAL ID driver’s licenses and identification 
cards,” so that non-REAL ID cards will be easy to spot.'® This universal card design will 
lead to a national identification system, combined with the mandate under the proposed 
regulations imposing new requirements on state motor vehicle agencies so that the 
Federal government can link together their databases to distribute license and 
cardholders’ personal data, create a national identification system.'” DHS also has 
considered expanding the official uses for the REAL ID system, going so far as to 
estimate that one of the ancillary benefits of REAL ID implementation would be to 
reduce identity theft — a reduction DHS bases on “the extent that the rulemaking leads to 
incidental and required use of REAL ID documents in everyday transactions.”'* There are 
other ways in which DHS has contemplated expanding the uses of the REAL ID system 
so that the card becomes a national identifier — one card for each person throughout the 
country." 

Ill. DHS HAS THE OBLIGATION TO PROTECT PRIVACY OF CITIZENS 

The Department of Homeland Security states that it is constrained in its power to 

protect the privacy of individuals and their data under the REAL ID Act. The agency 


claims in the notice of proposed regulations that “The Act does not include statutory 





‘© REAL ID Draft Regulations at 10,841, supra note 1. 

"" Id. at 10,825. 

'S Dep't of Homeland Sec., Regulatory Evaluation; Notice of Proposed Rulemaking; REAL ID; 6 CFR Part 
37; RIN: 1061-AA37; Docket No. DHS-2006-0030, at 130 (Feb, 28, 2007) (“Regulatory Evaluation”), 
available at http://www.epic.org/privacy/id_cards/teg_eval_draftregs.pdf. 

'° See Data Collection Expansion discussion, infra Section IX (DHS plans to expand uses of REAL ID). 
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language authorizing DHS to prescribe privacy requirements for the state-controlled 
databases or data exchange necessary to implement the Act.””° We agree with Sen. 
Joseph Lieberman, who stated, “The concept that federal agencies need explicit 
Congressional authorization to protect Americans’ privacy is just plain wrong. In fact, 
our government is obligated to ensure that programs and regulations do not unduly 
jeopardize an individual’s right to privacy.””! 
The draft regulations include little in terms of privacy safeguards: 
In summary, DHS has proposed the following privacy protections in its 
implementing regulations for the REAL ID Act: (1) The State-to-State data 
exchanges and the State data query of Federal reference databases will be State 
operated and governed; (2) as part of the State certification process, States will be 
required to submit a comprehensive security plan, including information as to 
how the State implements fair information principles; and (3) while 
acknowledging the benefits of employing encryption of the personal information 
stored on the identification cards, we invite comment on its feasibility and costs 
and benefits to ensure that its costs do not outweigh the benefits to privacy.” 
DHS’s statement that it is constrained in its ability to set privacy protections for the 
REAL ID system is a product of the agency’s mistaken belief that security and privacy 
are separate. Security and privacy are intertwined; one cannot have a secure system if 
privacy safeguards are not created, as well. DHS stated that it “believes that this language 
[in the REAL ID Act] provides authority for it to define basic security program 
requirements to ensure the integrity of the licenses and identification cards.” Because 


DHS has the authority to define basic security requirements, it also has the authority to 


set basic privacy safeguards for the REAL ID system. 





» REAL ID Draft Regulations at 10,825, supra note 1. 

2! Joseph Lieberman, U.S. Senator, Statement at a Hearing on Understanding the Realities of REAL ID: A 
Review of Efforts to Secure Drivers’ Licenses and Iden tion Cards Before the Subcomm. on Oversight 
of Gov't Management, the Federal Workforce & the District of Columbia, S. Comm. on Homeland Sec. & 
Governmental Affairs, 110th Cong. (Mar. 26, 2007). 

S REAL ID Draft Regulations at 10,826, supra note 1. 

Id. 
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The draft regulations create a national identification system that affects 245 
million license and cardholders nationwide, yet DHS is hesitant to ensure strong privacy 
safeguards in the system itself. DHS has the obligation to protect the privacy of citizens 
affected by this system and must do more than the feeble attempts set out in the draft 


regulations. 


A. Privacy Act Applies Under OMB Guidelines 
The Department of Homeland Security states that the Privacy Act of 1974” 
applies to only one part of the REAL ID system — the Problem Driver Pointer System.” 
However, the Privacy Act of 1974 applies to the entire national identification system, 
under guidelines set out by the Office of Management and Budget (“OMB”) and the 
Department of Homeland Security itself. 

The OMB guidelines explain that the Privacy Act “stipulates that systems of 
records operated under contract or, in some instances, State or local governments 
operating under Federal mandate “by or on behalf of the agency . . . to accomplish an 
agency function’ are subject to. . . the Act.””° The guidelines also explain that the 
Privacy Act “make[s] it clear that the systems ‘maintained’ by an agency are not limited 
to those operated by agency personnel on agency premises but include certain systems 
operated pursuant to the terms of a contract to which the agency is a party.”’’ The REAL 


ID system is operated under a Federal mandate to accomplish several agency functions, 


including immigration control. 





*5 U.S.C. § 552a. 

°° REAL ID Draft Regulations at 10,826, supra note 1. 

*© Office of Mgmt. & Budget, Privacy Act Implementation: Guidelines and Responsibilities, 40 Fed. Reg. 
28,948, 28,951 (July 9, 1975) [OMB Guidelines”}, available at 

http://www. whitehouse.gov/omb/inforeg/implementation_guidelines.pdf. 

"Id. 
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The REAL ID system is covered by the Privacy Act under the Department of 
Homeland Security’s own policies. In a policy guidance memorandum from the agency’s 
Privacy Office, defines “DHS Information Systems” as “an Information System operated, 
controlled, or directed by the U.S. Department of Homeland Security. This definition 
shall include information systems that other entities, including private sector 
organizations, operate on behalf of or for the benefit of the Department of Homeland 
Security.”** The national system of interconnected State databases is “operate[d] on 
behalf of or for the benefit” of DHS. The Privacy Office also states: 

As a matter of DHS policy, any personally identifiable information (PII) that is 

collected, used, maintained, and/or disseminated in connection with a mixed 

system by DHS shall be treated as a System of Records subject to the Privacy Act 
regardless of whether the information pertains to a U.S. citizen, Legal Permanent 

Resident, visitor, or alien.”” 

It is clear that, under both DHS and OMG guidelines, the REAL ID national 


identification system is a system of records subject to the requirements and protections of 


the Privacy Act of 1974. 


B. Requirements of Notice, Access, Correction and Judicially Enforceable 
Redress Must Be Mandated 


If the Department of Homeland Security creates this system, the agency must 
fully apply Privacy Act requirements of notice, access, correction, and judicially 
enforceable redress to the entire REAL ID national identification system. Though the 
States are asked to include provisions for notice, access, correction and redress, this is not 
enough. The Privacy Act protections must be mandated in the REAL ID implementation 


regulations. 





** Privacy Office, Dep’t of Homeland Sec., Privacy Policy Guidance Memorandum 2 (Jan. 19,2007), 
available at http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2007-1.pdf. 
* Id. at 1. 
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When it enacted the Privacy Act in 1974, Congress sought to restrict the amount 
of personal data that Federal agencies could collect and required agencies to be 
transparent in their information practices.”” In 2004, the Supreme Court underscored the 
importance of the Privacy Act’s restrictions upon agency use of personal data to protect 
privacy interests, noting that: 

“[I]n order to protect the privacy of individuals identified in information systems 

maintained by Federal agencies, it is necessary . . . to regulate the collection, 

maintenance, use, and dissemination of information by such agencies.” Privacy 

Act of 1974, §2(a)(5), 88 Stat. 1896. The Act gives agencies detailed instructions 

for managing their records and provides for various sorts of civil relief to 

individuals aggrieved by failures on the Government’s part to comply with the 
requirements.*! 

The Privacy Act is intended “to promote accountability, responsibility, legislative 
oversight, and open government with respect to the use of computer technology in the 
personal information systems and data banks of the Federal Government[.]”* It is also 
intended to guard the privacy interests of citizens and lawful permanent residents against 
government intrusion. Congress found that “the privacy of an individual is directly 
affected by the collection, maintenance, use, and dissemination of personal information 
by Federal agencies,” and recognized that “the right to privacy is a personal and 
fundamental right protected by the Constitution of the United States.”* It thus sought to 
“provide certain protections for an individual against an invasion of personal privacy” by 
establishing a set of procedural and substantive rights.’ 


We support the Department of Homeland Security’s requirement that the States 


must include in their “comprehensive security plan” an outline of “how the State will 





 S. Rep. No. 93-1183 at 1 (1974). 

Doe v. Chao, 540 U.S. 614, 618 (2004). 
* §. Rep. No. 93-1183 at 1. 

* Pub. L. No. 93-579 (1974). 

M Id. 
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protect the privacy of personal information collected, disseminated or stored in 
connection with the issuance of REAL ID licenses from unauthorized access, misuse, 
fraud, and identity theft” and that the State has followed the Fair Information Practices 
(these are practices, not principles, as listed in the draft regulations), which “call for 
openness, individual participation (access, correction, and redress), purpose specification, 
data minimization, use and disclosure limitation, data quality and integrity, security 
safeguards, and accountability and auditing.”** However, this is not enough. The agency 
must mandate minimum security and privacy safeguards, which the states should build 
upon, to protect individuals and their personal information. Also, there must be standards 
for the issue of redress. How will redress be adjudicated if one State includes erroneous 
information in an individual’s file and passes that information on to another State? Will 
the individual have to petition both States separately for redress? Will neither State 
process the redress, because each believes it to be the responsibility of the other? The 
right of redress must be judicially enforceable. 

The right of redress is internationally recognized. The Organization for Economic 
Co-operation and Development (OECD) Guidelines on the Protection of Privacy and 
Transborder Flows of Personal Data recognize that “the right of individuals to access and 
challenge personal data is generally regarded as perhaps the most important privacy 
protection safeguard.”*’ The rights of access and correction are central to what Congress 


sought to achieve through the Privacy Act: 





*S REAL ID Draft Regulations at 10,826, supra note 1. 

* The OECD Privacy Guidelines of 1980 apply to “personal data, whether in the public or private sectors, 
which, because of the manner in which they are processed, or because of their nature or the context in 
which they are used, pose a danger to privacy and individual liberties.” Org. for Econ. Co-operation & 
Dev., Guidelines Governing the Protection of Privacy and Trans-Border Flow of Personal Data, OECD 
Doc. 58 final at Art. 3(a) (Sept. 23, 1980), reprinted in M. ROTENBERG ED., THE PRIVACY LAW 


Comments of EPIC 11 Department of Homeland Security 
REAL ID Docket No. DHS 2006-0030 


The committee believes that this provision is essential to achieve an important 
objective of the legislation: Ensuring that individuals know what Federal records 
are maintained about them and have the opportunity to correct those records. The 
provision should also encourage fulfillment of another important objective: 
maintaining government records about individuals with such accuracy, relevance, 
timeliness, and completeness as is reasonably necessary to assure fairness to 
individuals in making determinations about them.” 
The Privacy Act requirements that an individual be permitted access to personal 
information, that an individual be permitted to correct and amend personal information, 
and that an agency assure the reliability of personal information for its intended use must 
be applied to the entire REAL ID national identification system. Full application of the 
Privacy Act requirements to government record systems is the only way to ensure that 


data is accurate and complete, which is especially important in this context, where 


mistakes and misidentifications are costly. 


IV. REAL ID Carbs Must Not DENOTE CITIZENSHIP STATUS 

DHS is considering using the REAL ID card in the Western Hemisphere Travel 
Initiative border security program. For the REAL ID card to be compliant under the 
program, it would need to include long-range RFID technology, discussed below, and 
“the State would have to ensure that the State-issued REAL ID driver’s license or 
identification card denoted citizenship.”** It cannot be stressed strongly enough: REAL 
ID cards must not include citizenship status. If REAL ID cards were to signify 
citizenship, there would be intense scrutiny of and discrimination against individuals who 


chose not to carry the national identification card and those who “look foreign.” 





SOURCEBOOK 2004 395 (EPIC 2005. The OECD Privacy Guidelines require, among other things, that there 
should be limitations on the collection of information; collection should be relevant to the purpose for 
which it is collected; there should be a policy of openness about the information’s existence, nature, 
collection, maintenance and use; and individuals should have rights to access, amend, complete, or erase 
information as appropriate. Id. 

57 H.R. Rep. No. 93-1416 at 15 (1974). 

*S REAL ID Draft Regulations at 10,842, supra note 1. 
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V. STANDARDS FOR ID DOCUMENTS WOULD BURDEN MANY INDIVIDUALS 

Under the REAL ID Act, States are required to obtain and verify documents from 
applicants that establish “(1) The applicant’s identity, through a photo identity document, 
or a non-photo identity document that includes full legal name and date of birth if a photo 
identity document is not available; (2) Date of birth; (3) Proof of SSN or ineligibility for 
an SSN; (4) The applicant’s address of principal residence; and (5) Lawful status in the 
United States.”*” Under the regulations, the only documents that could be accepted by the 
states to issue these new identity cards would be: (1) valid unexpired U.S. passport or the 
proposed passport card under the Western Hemisphere Travel Initiative; (2) certified 
copy of a birth certificate; (3) consular report of birth abroad; unexpired permanent 
resident card; unexpired employment authorization document; (4) unexpired foreign 
passport with valid U.S. visa affixed; (5) U.S. certificate of citizenship; U.S. certificate of 
naturalization; or (6) REAL ID driver’s license or identification card (issued in 
compliance with the final regulations). 

The difficult standards for acceptable identification documents would limit the 
ability of some individuals to get a state driver’s license. There are questions as to 
whether some citizens could produce these documents, among them Native Americans, 
victims of natural disasters, domestic violence victims, the homeless, military personnel, 
or elderly individuals.*' We applaud the Department of Homeland Security for attempting 
to resolve this problem by allowing the States to voluntarily create an exceptions process 


for extraordinary circumstances. However, though DHS set minimum standards for data 





Id. at 10,827. 

© Td. at 10,827-28. 

“! See Domestic Violence discussion, infra Section XI (how domestic violence victims will be harmed by 
the standards); see Data Verification discussion, infra Section VI (general problems with the standards). 
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collection, retention and documentation of the transaction, the agency did not set 
minimum standards for eligibility, length of process, or cost of process.*” DHS states that 
persons born before 1935 might not have been issued birth certificates, so they might be 
eligible for the exceptions process.** Otherwise, there is nothing that explains to either 
States or individuals how they could prove eligibility, how long the process would take 
(days, weeks, months or even years), or if they could even afford the cost of the 


exceptions process. 


VI. DATA VERIFICATION PROCEDURES ARE BASED ON FAULTY PREMISES 

The data verification procedures mandated by the draft regulations are based on 
faulty premises: DHS relies on non-existing, unavailable or incomplete databases and the 
mistaken belief that DMV workers can or should be turned into Federal immigration 
officers. Each assumption creates more problems in the Department of Homeland 
Security’s attempt to create a fundamentally flawed national identification system. 

A. DHS Relies on Verification Databases That Are Not Available 

Under REAL ID, the states must verify applicant documents and data with the 
issuing agency. DHS states that, “[f]or individual States to verify information and 
documentation provided by applicants, each State must have electronic access to multiple 
databases and systems . . . . Secure and timely access to trusted data sources is a 
prerequisite for effective verification of applicant data.”** Yet, beyond the national 
identification system created by the State-to-State data exchange, two of four verification 


systems required are not available on a nationwide basis and third does not even exist. 





“ REAL ID Draft Regulations at 10,834, supra note 1. 
8 Td. at 10,822. 
“ Id. at 10,833. 
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The database systems the States are required to verify applicant information 
against are: (1) Electronic Verification of Vital Events (“EV VE”), for birth certificate 
verification; (2) Social Security On-Line Verification (“SSOLV”), for Social Security 
Number verification; (3) Systematic Alien Verification for Entitlements (“SAVE”), for 
immigrant status verification; and (4) a Department of State system to verify data from 
“U.S. Passports, Consular Reports of Birth, and Certifications of Report of Birth.“ 

The only system that is available for nationwide deployment is SSOLV, and a 
survey of States by the National Governors Association found that even this database 
would need substantial improvements to be able to handle the workload that would be 
needed under REAL ID.“ EVVE is currently in pilot phase and only five states are 
participating.*’ Yet DHS bases its requirements on the assumption that EVVE will be 
ready for nationwide expansion by the implementation deadline May 2008.“ The 
executive director of the organization overseeing the database has announced that EVVE 
will not be ready by May 2008 and the system may not be ready by the extended 
implementation deadline of December 2009.” 

DHS admits that only 20 states are using SAVE, and that the planned connection 
between SAVE and another database for foreign student status verification (Student and 


Exchange Visitor Information System, “SEVIS”) may not be completed by the 





8 Td. at 10,830-35; Electronic Verification of Vital Events (“EV VE”) is also called Electronic Verification 

of Vital Event Records (“EVVER”) in some federal documents. 

“© Nat'l Governors Ass'n, et. al, The REAL ID Act: National Impact Analysis (Sept. 19, 2006) [“Governors’ 
Analysis”), available at http://www.nga.org/Files/pdf/0609REALID.PDF. 

“Nat'l Ass’n for Public Health Statistics & Info. Systems, Electronic Verification of Vital Events (EVVE), 
http://www.naphsis.org/projects/index.asp?bid=403. 

“8 REAL ID Draft Regulations at 10.831, supra note 1. 

* Eleanor Stables, Multi-Billion Dollar Real ID Program May Be Stymied Due to $3 Million Shortfall, CQ, 
Mar. 15, 2007. 
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implementation deadline of May 2008.” 


The State Department system to verify passports 
and some reports of births has not even been created, but DHS bases its mandates on the 


assumption that the system “is eventually developed.”*! 
B. DMV Workers Cannot and Should Not Become Immigration Officials 

Under the regulations, State DMV employees would need to authenticate license 
and identification card applicants’ source documents, which means the employees would 
be required to physically inspect the documents and “verify[] that the source document 
presented under these regulations is genuine and has not been altered.”** These source 
documents are: (1) valid unexpired U.S. passport or the proposed passport card under the 
Western Hemisphere Travel Initiative; (2) certified copy of a birth certificate; (3) 
consular report of birth abroad; unexpired permanent resident card; unexpired 
employment authorization document; (4) unexpired foreign passport with valid U.S. visa 
affixed; (5) U.S. certificate of citizenship; U.S. certificate of naturalization; or (6) REAL 
ID driver’s license or identification card (issued in compliance with the final 
regulations). 

State DMV employees would be required to verify these documents, including 
Federal immigration documents, though they have no training to do so. DHS 
contemplates this problem and seeks to solve it by requiring that DMV employees 
handling source documents undergo 12 hours of “fraudulent document recognition” 
training.’ A review of the Social Security Administration found that staff had difficulty 


recognizing counterfeit documents, though it is their primary job to verify these 





°° REAL ID Draft Regulations at 10,833, supra note 1. 
5! Id. at 10,832. 

* Id. at 10,850. 

53 Id. at 10,827-28. 

* Regulatory Evaluation at 122, supra note 18. 
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documents before issuing SSN. For example, the Government Accountability Office 
review reported difficulty with detection of fraudulent birth certificates. In one case, a 
fake in-state birth certificate was detected, but “SSA staff acknowledged that if a 
counterfeit out-of-state birth certificate had been used, SSA would likely have issued the 
SSN because of staff unfamiliarity with the specific features of numerous state birth 
certificates.” It is questionable how well State DMV employees would be able to spot 
fraudulent documents, especially documents as rarely seen as consular reports of birth 
abroad, with merely 12 hours of training when it is difficult for counterfeit documents to 
be spotted by federal employees whose primary job is verification of source documents. 
Also, if a State DMV employee determines that an applicant’s source documents are 


fraudulent, where could the applicant turn? No redress procedure has been created.” 


VII. MINIMUM DATA ELEMENTS ON MRT MusT REMAIN MINIMUM 

Under REAL ID, the following amount of information, at a minimum, must be on 
the REAL ID card: (1) full legal name; (2) date of birth; (3) gender; (4) driver’s license or 
identification card number; (5) digital photograph of the person; (6) address of principal 
residence; (7) signature; (8) physical security features; (9) a common machine readable 
technology, with defined minimum data elements; and, (10) card issue and expiration 
date.*’ The REAL ID card will include a 2D barcode as its machine readable technology. 
To protect privacy and improve security, this machine readable technology must either 
include encryption, which is recommended by the DHS Privacy Office, or access must be 


limited in some other form. Leaving the machine readable zone open would allow 





*5 Gov't Accountability Office, Social Security Administration: Actions Taken to Strengthen Procedures for 
Issuing Social Security Numbers to Noncitizens, but Some Weaknesses Remain, GAO-04-12 (Oct. 2003), 
available at http://www.gao.gov/cgi-bin/getrpt?GAO-04-12. 

°° See Privacy Act discussion, supra Section III. 

°’ REAL ID Draft Regulations at 10,8435, supra note 1. 
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unfettered third-party access to the data and leave 245 million license and cardholders 


nationwide at risk for individual tracking. 


A. Access to Data Must Be Limited 

Under the required changes to the design of State licenses and identification 
cards, DHS states the card must include “[p]hysical security features designed to prevent 
tampering, counterfeiting, or duplication of the document for fraudulent purpose” and 
“common [machine-readable technology], with defined minimum data elements.”** The 
Federal agency will require the use of a two-dimensional bar code, but will not require 
the use of encryption. Though Homeland Security lays out the privacy and security 
problems associated with creating an unencrypted machine readable zone on the license, 
it does not require encryption because there are concerns about “operational 
complexity.” 

The Department of Homeland Security’s own Privacy Office has urged the use of 
encryption in REAL ID cards. In its Privacy Impact Assessment of the draft regulations, 
the Privacy Office supported encryption “because 2D bar code readers are extremely 
common, the data could be captured from the driver’s licenses and identification cards 
and accessed by unauthorized third parties by simply reading the 2D bar code on the 
credential” if the data is left unencrypted.” DHS says that, “while cognizant of this 


problem, DHS believes that it would be outside its authority to address this issue within 





%8 Jd. at 10,835. 

® Id. at 10,826. 

Dep't of Homeland Sec. Privacy Office, Privacy Impact Assessment for the REAL ID Act 16 (Mar. 1, 
2007) (“Privacy Impact Assessment of Draft Regulations”], available at 
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_realid.pdf and 
http://www.epic.org/privacy/id_cards/pia_030107.pdf. 
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this rulemaking.”' As we have previously stated, DHS has the obligation to protect the 
privacy of individuals from whom they collect data, and the agency should not abdicate 
this responsibility.” Imposing a requirement for the States to use unencrypted machine 

readable technology renders the cardholder unable to control who receives her data. 

If, however, the agency determines that it will not use encryption because of 
concerns about the complexity of public key regulation, there is another approach that 
would better protect the privacy of individuals than unfettered access to the machine 
readable zone. We suggest that no personal data be placed on the machine readable zone. 
Instead, place a new identifier that is unused elsewhere (i.e., not the driver’s license 
number or Social Security Number). This unique identifier will “point” to the records in 
the national database. Access to the database can be controlled by password and 
encryption security, because it is easier to regulate public keys in this scenario. Also, the 
State should ensure that a new unique identifier is created each time the machine readable 
zone is renewed or reissued, in order to make the identifier less useful as an everyday ID 
number — people would not be forever linked to this identifier. This approach would 
improve data security and privacy. 

It is possible to use a “pointer” system in the machine readable zone, because the 
REAL ID Act did not set out what minimum document requirements on the machine 
readable zone need to be. The Act reads, “(9) a common machine-readable technology, 
with defined minimum data elements.” Also, in the draft regulations, DHS requests 


comments on “[w]hether the data elements currently proposed for inclusion in the 





°' REAL ID Draft Regulations at 10,837, supra note 1. 

° See Privacy Act discussion, supra Section III (federal agencies have the obligation to protect the privacy 
rights of individuals from whom they collect information). 

® Pub. L. No. 109-13, 119 Stat. 231, 312, § 202(b)(9) (2005). 
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machine readable zone of the driver's license or identification card should be reduced or 
expanded.” We recommend against putting any personal data on the machine readable 
zone and only placing this unique identifier. In this way, access to the data can be more 
tightly controlled. 

DHS is required to include security protections on the REAL ID card. Under the 
REAL ID Act, the card must include “(8) Physical security features designed to prevent 
tampering, counterfeiting, or duplication of the document for any fraudulent purpose.””° 
If DHS does not seek to limit access to the data on the REAL ID card, then it is signaling 
that it is acceptable for third parties to download, access and store the data for purposes 
beyond the three official purposes set out in the draft regulations: “accessing Federal 
facilities, boarding commercial aircraft, and entering nuclear power plants.” Though 
DHS has contemplated expanding the uses for the REAL ID card, such an expansion 
would harm both individual privacy and security and quickly turn the United States into a 
country where the national identification card is involuntarily carried by everyone. 

B. Unfettered Data Access Threatens Individual Privacy 

If personal data is placed on the machine readable zone of the REAL ID card, 
then access to this data must be limited or individual privacy will be threatened. 
Unlimited access to this data will allow unauthorized third parties to download, access 
and store the personal data of any REAL ID cardholder. 

The REAL ID Act mandates that the REAL ID card include “(8) Physical security 


features designed to prevent tampering, counterfeiting, or duplication of the document for 





REAL ID Draft Regulations at 10,842, supra note 1. 
° Pub. L. No. 109-13, 119 Stat. 231, 312, § 202(b)(8) (2005). 
° REAL ID Draft Regulations at 10,823, supra note 1. 
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any fraudulent purpose.””’ Allowing universal access to personal data contained on the 
REAL ID card would facilitate identity theft and security breaches. In the privacy impact 
assessment of the draft regulations, the Department of Homeland Security Privacy Office 
urges encryption for the REAL ID machine readable zone. It explains that unsecured 
digital data raises the risk of “skimming,” where one “expos[es] the information stored on 
the credential to unauthorized collection.” This risk is not theoretical, the Privacy Office 
says, because “[rJeaders for the 2D bar code are readily available for purchase on the 
Internet and at a very low cost, which permits unauthorized third parties to skim the 
information for their own business needs or to sell to other third parties.” Such 
skimming is often done without the individual’s knowledge or consent. 

A recent case illustrates the security threat posed by open access to personal data 
on a machine readable technology. Last month, New York prosecutors charged thirteen 
people in a counterfeiting ring where restaurant servers on the East Coast (from 
Connecticut to Florida) skimmed data from customers’ credit cards.” “They used small 
hand-held devices, about the size of a cigarette package that could be kept in a pocket, to 
record information encoded in the magnetic strips of credit cards.””' For a year and a half, 
the illegally gathered data was used to create fake credit cards and buy merchandise that 
the criminals resold.” The financial data was easily accessed, downloaded and misused 
by the criminals because anyone with a skimmer device was able to read the unprotected 


machine readable zones. 





°7 Pub. L. No. 109-13, 119 Stat. 231, 312, § 202(b)(8) (2005). 
°* Privacy Impact ssment of Draft Regulations at 14. 
Privacy Impact Assessment of Draft Regulations at 14. 
” Anemona Hartocollis, $3 Million Lost to Fraud Ring, Authorities Say, N.Y. Times, April 21, 2007. 
TT 
Id. 
"Id. 
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Some States are already facing problems with unauthorized parties accessing 
license and ID card data. California, Nebraska, New Hampshire, and Texas have laws 
restricting the skimming of such data.” In November, the New Jersey Motor Vehicle 
Commission sent letters to bar, restaurant and retail organizations explaining that they 
must stop scanning and downloading their patrons’ license data.” Such actions violate the 
state Digital Driver License Act, as well as the state and federal Drivers Privacy 
Protection Acts, according to the commission.”* Yet at least one establishment expressed 
reluctance to stop downloading and storing their customers’ personal data, even in the 
face of legal action from the State.” Today, different States have different ID cards with a 
variety of data and security features. Imagine what would happen if 245 million cards 
nationwide had personal data in the exact same open access format. 

When a person hands over her license or ID card today, the data is not routinely 
downloaded and stored. A grocery store clerk or club bouncer usually merely looks at the 
card, verifies age or address, and then hands the card back to the individual. No 
transaction is recorded. However, universal access to the machine readable zone of the 
REAL ID card would allow the data to be downloaded, stored and transferred without the 
knowledge or permission of the individual cardholder. A digital transaction would be 
recorded and a digital trail could be created. 

For example, let’s follow Douglas Osborne for one weekend in the near future, if 
the national identification system is created and the machine readable zone left open for 


universal access. On Friday night, Doug went to Eighteenth Street Lounge at 8 p.m. with 





® Privacy Impact Assessment of Draft Regulations at 15. 

™ Tan T. Shearn, License scanning is illegal, state says, Star-Ledger (NJ), Nov. 23, 2006. 
* Id. 

"Id. 
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four friends, where their REAL ID cards were scanned and their personal data accessed 
and stored. At 9:35 p.m., he went to Club Five with the same four friends, where their 
REAL ID cards were scanned and their personal data accessed and stored. On Saturday 
afternoon, Doug bought two six-packs of Harpoon beer at 12:27 p.m. at a Safeway in 
Capitol Hill, where Doug’s REAL ID data was scanned and stored. On Saturday night, 
Doug and two friends took the 5:10 flight to Atlantic, where their cards were scanned and 
their information stored.”” At 11:37 p.m., Doug and his two friends checked into a hotel, 
where their ID cards were scanned and their data downloaded. On Sunday morning, one 
of Doug’s friends buys cigarettes at a casino, and his REAL ID is scanned and his data 
stored at 11:04 a.m. The digital trail could continue indefinitely. Individuals could easily 
be tracked from location to location as they went about their daily lives. Add to the 
REAL ID trail the information that could be gleaned from individuals’ credit card 
transactions, and you have complete consumer profiles for which many companies would 
pay dearly. 

DHS must include in restrictions against the addition of data beyond that defined 
in the REAL ID Act. To allow additional data on the machine readable zone is to increase 
the likelihood of the REAL ID card becoming the default identification documents for 
everyday transactions; this would increase the incentive for third parties to gather and 
store individuals’ data, and substantially increase the card’s value to marketers and 
criminals. Expansion of the data collected, uses allowed, and users authorized would 


greatly increase both threats to the security and privacy of personal data. 





” “Because REAL IDs use a common MRT, the Transportation Security Administration (TSA) considered 
requiring the use of machine readers on REAL IDs at airports. Ar this time TSA has rejected [the plan}” 
(emphasis added). Regulatory Evaluation at 58, supra note 18. 
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C. Use of RFID Technology Increases Vulnerability of Data 

DHS contemplates using the REAL ID system as part of its Federal border 
security program and requested comments on how States could incorporate long-range 
radio frequency identification (“RFID”) technology into the REAL ID card so that it 
could be used as part of the Western Hemisphere Travel Initiative.’ Many groups have 
urged against the use of RFID technology in identification documents. There are 
significant privacy and security risks associated with the use of RFID-enabled 
identification cards, particularly if individuals are not able to control the disclosure of 
identifying information. The Department of State recognized these security and privacy 
threats and changed its E-Passport proposal because of them; the Department of 
Homeland Security (“DHS”) has just abandoned a plan to include RFID chips in border 
identification documents because the pilot test was a failure; and both the Department of 
Homeland Security’s Data Privacy and Integrity Advisory Committee and the 
Government Accountability Office recently cautioned against the use of RFID 
technology in identification documents. 

Privacy and security risks associated with RFID-enabled identification cards 
include “skimming” and “eavesdropping.” Skimming occurs when an individual with 
unauthorized RFID reader gathers information from an RFID chip without the 
cardholder’s knowledge. Eavesdropping occurs when an unauthorized individual 
intercepts data as it is read by an authorized RFID reader. In the absence of effective 


security techniques, RFID tags are remotely and secretly readable. Although the creation 





”* REAL ID Draft Regulations at 10,842, supra note 1; see EPIC, Spotlight on Surveillance, Homeland 
Security PASS Card: Leave Home Without It (Aug. 2006), 

http://www epic.org/privacy/surveillance/spotlight/0806/ (why the Western Hemisphere Travel Initiative’s 
proposed passport card creates security threats); EPIC’s Page on Radio Frequency Identification (RFID) 
Systems, http://www.epic.org/privacy/rfid/. 
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of a small, easily portable RFID reader may be complex and expensive now, it will be 
easier as time passes. For example, the distance necessary to read RFID tags was initially 
thought to be a few inches. In the now-abandoned pilot test, the Department of Homeland 
Security said, “reliable reads can be received from a few inches to as much as 30 feet 
away from the reader.” Other tests also have shown that RFID tags can be read from 70 
feet or more, posing a significant risk of unauthorized access." 

Some attacks already have succeeded against so-called “strengthened” 
identification documents. In one case, a computer expert was able to clone the United 
Kingdom’s electronic passport by using a commercially available RFID reader (which 
cost less than $350) and software that took him less than a couple of days to write.*' In 
assessing the new RFID-enabled U.S. passports, one expert cloned the RFID tag and 
another used characteristics of the radio transmissions to identify individual chips, and 
those researchers spent only a few weeks attacking the RFID-enabled passports.” 

Another security risk of RFID-enabled identification cards is that of clandestine 
tracking. An unauthorized RFID reader could be constructed to mimic the authorized 
signal and then be used to secretly read the RFID tag embedded in the identification card. 
The Government Accountability Office has highlighted this security problem unique to 
wireless technology: 

The widespread adoption of the technology can contribute to the increased 


occurrence of these privacy issues. As previously mentioned, tags can be read by 
any compatible reader. If readers and tags become ubiquitous, tagged items 





” Dep’t of Homeland Sec., Notice with request for comments, 70 Fed. Reg. 44934, 44395 (Aug. 5, 2005), 
available at hitp://frwebgate | access.gpo.gov/cgi- 

bin/waisgate.cgi?W AISdocID=02 1420363270+2+0+0& WA ISaction=retrieve. 

®° See Ziv Kfir and Avishai Wool, Picking Virtual Pockets using Relay Attacks on Contactless Smartcard 
Systems (Feb. 22, 2005), available at http://eprint.iacr.org/2005/052; Scott Bradner, An RFID warning shot, 
Network World, Feb. 7, 2005. 

*! Steve Boggan, Special Report: Identity Cards: Cracked It!, Guardian, Nov. 17, 2006. 

* Bruce Schneier, Opinion, The ID Chip You Don’t Want in Your Passport, Wash. Post, Sept. 16, 2006. 
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carried by an individual can be scanned unbeknownst to that individual. Further, 

the increased presence of readers can provide more opportunities for data to be 

collected and aggregated." 
So long as the RFID tag or chip can be read by unauthorized individuals, the person 
carrying that tag can be distinguished from any other person carrying a different tag. 
Individuals, unlike commercial products with RFID tags, should have the right to control 
the disclosure of their identifying information. 

The federal government should be fully aware by now of the problems raised by 
an insecure RFID scheme. In April 2005, EPIC, the Electronic Frontier Foundation, and 
other groups submitted comments urging the State Department to abandon its E-Passport 
proposal, because it would have made personal data contained in hi-tech passports 
vulnerable to unauthorized access.“ After the Department of State received more than 
2,400 comments on its notice for proposed rulemaking on RFID-enabled passports, many 
of which criticized its serious disregard of security and privacy safeguards, the agency 
said it would implement Basic Access Control in an attempt to prevent skimming and 
eavesdropping.** The use of RFID-enabled identification documents, without including 
Basic Access Control and other safeguards, contravenes the Department of State’s 
incorporation of basic security features into new U.S. passports." 

In 2005, DHS began testing RFID-enabled I-94 forms in its United States Visitor 


and Immigrant Status Indicator Technology (“US-VISIT”) program to track the entry and 





® Gov't Accountability Office, Report to Congressional Requesters: Information Security: Radio 
Frequency Identification Technology in the Federal Government, GAO-05-551 (May 2005), available at 
http://www.gao.gov/new.items/d0555 1 pdf. 

“EPIC, EFF, et. al, Comments on RIN 1400-AB93: Electronic Passport (Apr. 4, 2005), available at 
http://www epic.org/privacy/rfid/rfid_passports-0405.pdf. 

*S Dep't of State, Notice of Proposed Rule, 70 Fed. Reg. 8305 (Feb. 18, 2005), available at 
http://a257.g.akamaitech.net/7/257/2422/0 | jan2005 1 800/edocket.access.gpo.gov/2005/05-3080.htm. 

*° See Kim Zetter, Feds Rethinking RFID Passport, Wired, Apr. 26, 2005; Eric Lipton, Bowing to Critics, 
U.S. to Alter Design of Electronic Passports, N.Y. Times, Apr. 27, 2005. 
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exit of visitors.*” The RFID-enabled forms stored a unique identification number, which 
is linked to data files containing foreign visitors’ personal data.** EPIC warned that this 
flawed proposal would endanger personal privacy and security, citing the plan’s lack of 
basic privacy and security safeguards." The Department of Homeland Security’s 
Inspector General echoed EPIC’s warnings in a July 2006 report. The Inspector General 
found “security vulnerabilities that could be exploited to gain unauthorized or undetected 
access to sensitive data” associated with people who carried the RFID-enabled I-94 
forms.” A report released by the Government Accountability Office in late January 
identified numerous performance and reliability issues in the 15-month test.’' The many 
problems with the RFID-enabled identification system led Homeland Security Secretary 
Michael Chertoff to admit in Congressional testimony on February 9th that the pilot 
program had failed, stating “yes, we’re abandoning it. That’s not going to be a solution” 


for border security.” 





*’ Dep’t of Homeland Sec., Notice With Request For Comments: United States Visitor and Immigrant 
Status Indicator Technology Notice on Automatic Identification of Certain Nonimmigrants Exiting the 
United States at Select Land Border Ports-of-Entry, 70 Fed. Reg. 44934 (Aug. 5, 2005), available at 
http://frwebgate | access.gpo.gov/cgi- 

dbin/waisgate.cgi?W AISdocID=021420363270+2+0+0&W AISaction=retrieve. 

‘The data includes biographic information, such as name, date of birth, country of citizenship, passport 
number and country of issuance, complete U.S. destination address, and digital fingerscans. Dep’t of 
Homeland Sec., Notice of Availability of Privacy Impact Assessment, 70 Fed. Reg. 39300, 39305 (July 7, 
2005), available at 

http://a257.g.akamaitech.net/7/257/2422/0 | jan2005 1800/edocket.access.gpo.gov/2005/05-13371.htm. 

* EPIC, Comments on Docket No. DHS-2005-0011: Notice With Request For Comments: United States 
Visitor and Immigrant Status Indicator Technology Notice on Automatic Identification of Certain 
Nonimmigrants Exiting the United States at Select Land Border Ports-of-Entry (Dec. 8, 2005), available at 
http://www.epic.org/privacy/us: t/100305_rfid.pdf. 

” Dep’t of Homeland Sec. Inspector Gen., Additional Guidance and Security Controls Are Needed Over 
Systems Using RFID at DHS (Redacted) 7 (July 2006), available at 
http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_06-53_Jul06.pdf. 

°! Richard M. Stana, Dir., Homeland Sec. & Justice Issues, Gov’t Accountability Office, Testimony Before 
the Subcom. on Terrorism, Tech., & Homeland Sec., 8. Comm. on the Judiciary, 110th Cong. (Jan. 31, 
2007), available at http://www.gao.gov/new.items/d07378t.pdf. 

°° Michael Chertoff, Sec’y, Dep’t of Homeland Sec., Testimony at a Hearing on the Fiscal Year 2008 Dep't 
of Homeland Sec. Budget Before the H. Comm. on Homeland Sec., 110th Cong. (Feb. 9, 2007), available at 
http://www epic.org/privacy/us-visit/chertoff_020907. pdf. 
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In Congressional testimony in March, a GAO official cautioned against the use of 
RFID technology to track individuals. “Once a particular individual is identified through 
an RFID tag, personally identifiable information can be retrieved from any number of 
sources and then aggregated to develop a profile of the individual. Both tracking and 
profiling can compromise an individual’s privacy,” the GAO said.”’ The GAO reiterated 
the many problems with the failed US-VISIT RFID project and expressed concern that, 
despite this failure, DHS endorsed the use of RFID in the Western Hemisphere Travel 
Initiative PASS Card. 

In December, the Department of Homeland Security Data Privacy and Integrity 
Advisory Committee adopted a report, “The Use of RFID for Identity Verification,” 
which included recommendations concerning the use of RFID in identification 
documents.” The committee outlined security and privacy threats associated with RFID 
similar to the ones discussed below, and it urged against RFID use unless the technology 
is the “least intrusive means to achieving departmental objectives.” It is clear that the 
RFID technology outweigh its benefits and should not be used in identification 


documents. 


VIII. UNIFORM LICENSE DESIGN WOULD CAUSE DISCRIMINATION AGAINST 
NON-REAL ID CARDHOLDERS 





°* Linda D. Koontz, Dir., Info. Mgmt. Issues, Gov’t Accountability Office, Testimony 

Before the Subcom. on Homeland Sec., H. Comm. on Appropriations, 110th Cong. (Apr. 14, 2007), 
available at http://www.gao.gov/new.items/d07630t.pdf. 

° Dep't of Homeland Sec., Data Privacy & Integrity Advisory Comm., The Use of RFID for Human 
Identity Verification (Report No. 2006-02) (Dec. 6, 2006), available at 
http://www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_12-2006_rpt_RFID.pdf. 

° Id. at 2. 
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The Department of Homeland Security contemplates a universal design for 
compliant and non-compliant REAL ID cards.” A universal design, especially for a card 
including citizenship status, would cause irreparable harm, as it would foster suspicion of 
those who do not wish to carry the REAL ID card. Uniform design for a national 


identification card would also create an enormous security risk. 


A. Universal Design Would Foster Suspicion of Innocent Individuals 
The agency is considering a uniform REAL ID card design, asking for comments 
on “[w]hether DHS should standardize the unique design or color required for non-REAL 
ID under the REAL ID Acct for ease of nationwide recognition, and whether DHS should 
also implement a standardized design or color for REAL ID licenses.””’ Mandating 
distinct designs or colors for both REAL ID and regular licenses and identification cards 
and requiring non-REAL ID driver’s licenses or ID cards to have explicit “invalid for 
federal purposes” designations turns this “voluntary” card into a mandatory national ID 
card. It would divide the country into two — people with the REAL ID card and those 
without — and anyone with a different license or ID card would be instantly suspicious. 
Significant delay, complication and possibly harassment or discrimination would fall 
upon those who choose not to carry a REAL ID card. 
B. Official and Unofficial Purposes of REAL ID Must Not Be Increased 
According to DHS, State driver’s licenses and identification cards must meet 
standards set out in the regulations to be accepted for Federal use under REAL ID. Such 
Federal purposes include entering Federal facilities, boarding commercial aircraft, 


entering nuclear power plants, and “any other purposes that the Secretary shall 





°° REAL ID Draft Regulations at 10,841-42, supra note 1. 
°7 Td. at 10,842. 
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determine,” but the limitation on use to the three enumerated purposes are “for the time 
being.””’ The Department of Homeland Security, via the draft regulations and Homeland 
Security Secretary Michael Chertoff, contemplates expanding the use of the national 
identification system. 

In the draft regulations, the agency seeks comments on “how DHS could expand 
[the card’s official purposes] to other federal activities.”” In a February speech, Secretary 
Chertoff said he envisioned the REAL ID licenses “do[ing] double-duty or triple-duty.”"” 
These national identification cards would “be used for a whole host of other purposes. 
where you now have to carry different identification.”""' The agency also may use the 
REAL ID card in the Western Hemisphere Travel Initiative program — if citizenship is 
denoted on the card and long-range RFID technology added.'°* 

In the agency’s economic analysis of REAL ID implementation, reducing ID theft 
is listed as one of the potential ancillary benefits of the national identification system. 
However, the agency says that the potential benefit would depend on a vast expansion of 
REAL ID uses from the three official purposes required in the draft regulations; DHS 
suggests what is needed is “incidental and required use of REAL ID documents in 


99103 


everyday transactions.”'”’ DHS envisions that employers, social service agencies 





°S Regulatory Evaluation at 30, supra note 18. 

°° REAL ID Draft Regulations at 10,823, supra note 1. 

' Michael Chertoff, Sec’y, Dep’t of Homeland Sec., Remarks by Secretary Michael Chertoff at the 
National Emergency Management Association Mid-Year Conference (Feb. 12, 2007), available at 
http://www.dhs.gov/xnews/speeches/sp_1171376113152.shtm. 

101 Ig. 

'2 See RFID Technology discussion, supra Section VII(c) (security and privacy risks inherent in RFID 
use), and Citizenship Designation discussion, supra Section IV (citizenship designation breeds 
discrimination). 

‘©’ Regulatory Evaluation at 130, supra note 18; see Identity Theft discussion, infra at Section X(c) (why 
REAL ID will not reduce identity theft). 
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(including Medicare, Medicaid and student financial aid), firearm sellers and licensors, 
and election workers will all use this national identification system.'™ 

The official and unofficial uses of REAL ID must not be broadened. Such 
expansion would harm national security. As explained below, using a single card for 


many identification purposes would be the same as using one key for every lock. 


IX. EXPANDED DATA COLLECTION AND RETENTION INCREASES SECURITY 
RISKS 


Under REAL ID, the government would have easy access to an incredible amount 
of personal data stored in one national database (or, according to the DHS description, 56 
State and Territory databases, each of which can access all of the others).'"’ DHS claims 
that it is not expanding data collection and retention, but it is enlarging schedules and 
procedures for retention and distribution of identification documents and other personal 
data. This broad expansion of data collection and retention in a national database creates 
significant threats to privacy and security. 

The agency makes two claims about the expanded data retention under REAL ID 
that we dispute: (1) “Most States already include this [extensive, personal] information in 
a machine readable technology,” and (2) “neither the Real ID Act nor these proposed 
regulations gives the Federal Government any greater access to information than it had 
before.’”"”° Each claim is false: DHS is mandating the increase of both the type of 
documents that need to be retained and the length of data retention, and the agency will 


give both State and Federal governments greater access to the personal data. 





'* See National Committee for Voting Integrity, http://votingintegrity.org/ and EPIC, Spotlight on 
Surveillance, With Some Electronic Voting Systems, Not All Votes Count (Sept. 2006), 
http://www.epic.org/privacy/surveillance/spotlight/0307 (why requiring any voter identification card is a 
poll tax). 

'5 Section 202(d)(12); (d)(13). 

‘°° REAL ID Draft Regulations at 10,824, supra note 1. 
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With the REAL ID national identification system, DHS imposes new 
requirements on State motor vehicle agencies. Each of the 56 interconnected databases 
must contain all data fields printed on driver’s licenses and ID cards, and driver's 
histories, including motor vehicle violations, suspensions, and points on licenses.'”’ The 
States are compelled to begin maintaining paper copies or digital images of important 
identity documents, such as birth certificates or naturalized citizenship papers, for seven 
to 10 years.'** This is a significant expansion of the personal data previously reviewed or 
stored by State motor vehicle agencies. 

Currently these identification documents are kept in a variety of places — the 
Social Security system, the immigration system, local courthouses — and it takes 
considerable effort to gather them all together. Under REAL ID, all of these identification 
documents — concerning, among other things, births, marriages, deaths, immigration, 
social services — are consolidated into one national database, accessible to at least tens of 
thousands of government employees nationwide, which would give the Federal and State 
governments greater access than before. 

Security expert Bruce Schneier, EPIC and others have explained that it decreases 
security to have one ID card for many purposes, as there will be a substantial amount of 
harm when the card is compromised.'” There is also the threat that REAL ID is 
ostensibly trying to protect against: forged identification cards. Investing so much trust 


into one card means that criminals will only have to forge one identification card. “No 





*” Section 202(d)(12); (d)(13). 

‘8 REAL ID Draft Regulations at 10,855, supra note 1. 

' Melissa Ngo, Dir., EPIC Identification & Surveillance Project, Prepared Testimony and Statement for 
the Record at a Hearing on “Maryland Senate Joint Resolution 5” Before the Judicial Proceedings Comm. 
of the Maryland Senate (Feb. 15, 2007) (“EPIC Testimony at Maryland Senate”), available at 
http://www.epic.org/privacy/id_cards/ngo_test_021507.pdf. 
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matter how unforgeable we make it, it will be forged. We can raise the price of forgery, 
but we can’t make it impossible. Real IDs will be forged,” Schneier said.''’ A national 
database full of identification documents, images and data would entice many kinds of 
criminals, including terrorists who seek to steal the identity of a “trusted” individual. 

A national identification system would divide the United States into two groups: 
(1) “trusted good guys” who have the national ID card, and (2) “untrusted bad guys” who 
do not. But, Schneier has pointed out that there is a third category that appears — bad guys 
who fit the good guy profile. Upon the release of the draft regulations, Schneier said, 
“The REAL ID regulations do not solve problems of the national ID card, which will fail 
when used by someone intent on subverting that system. Evildoers will be able steal the 
identity — and profile — of an honest person, doing an end-run around the REAL ID 
system.”''' This national identification system inherently contains significant threats to 


individual privacy and national security." 


X. NATIONAL ID DATABASE WOULD INCREASE SECURITY 
VULNERABILITIES 


In the best-case scenario, the creation of the REAL ID national identification 
system does nothing to improve our security protections. In the worst-case scenario, the 
REAL ID system will exponentially increase threats to our national security. DHS’s 
cryptic economic analysis is based upon incredible assumptions about possible future 
terrorist attacks that REAL ID would supposedly prevent. The economic analysis also 


ignores indirect costs. The REAL ID system would harm national security by increasing 





" Bruce Schneier, Real-ID: Costs and Benefits, BULLETIN OF ATOMIC SCIENTISTS, Mar./Apr. 2007 
[“Schneier Essay”], available at http://www.schneier.com/blog/archives/2007/0 1 /realid_costs_an.html. 

'\! Press Release, EPIC, After Long Delay, Homeland Security Department Issues Regulations For Flawed 
National ID Plan (Mar. 2, 2007), available at http://www.epic.org/press/030207.html. 

"2 See National Database discussion, supra Section X (how universal identification systems increase 
security threats). 
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risks of identity theft and fraud, and by diverting funds away from other security 


programs that have been proven effective. 


A. Regulations Would Not Improve Our Security Protections 

Quantitative risk assessments are characteristically limited by false or unverifiable 
assumptions, faulty modeling, and above all short-sighted local optimization that tends to 
ignore long-term implications and slippery-slope changes in the validity of the 
assumptions." The economic analysis in the Department of Homeland Security’s 
Regulatory Evaluation conducts such a quantitative risk assessment, and falls victims to 
these faulty assumptions. The Regulatory Evaluation states: 

The primary benefit of REAL ID is to incrementally increase U.S. national 

security by reducing the vulnerability to criminal or terrorist activity of federal 

buildings, nuclear facilities, and aircraft. The chances of a terrorist attack on such 

targets being successful would generally increase if identity documents that grant 

access to them are in the possession of the attackers. This is demonstrated by the 

fact that several of the 9/11 hijackers had false driver’s licenses or fraudulently 

obtained driver’s licenses in their possession at the time of that attack.''* 
The analysis goes on to say, “REAL ID is highly unlikely to impact the consequences of 
a successful attack, but it may impact, on the margin, the chance of a terrorist attack 
being attempted and succeeding.”''® So, DHS is attempting to determine the marginal 
chance that REAL ID will lessen the chance of success or discourage the attempt of a 
terrorist attack. Setting aside the assumption that a lack of REAL ID cards would make it 
more difficult to succeed in a terrorist attack upon the United States, we turn to the 


mathematical formula that DHS uses to calculate the REAL ID system’s presumed 


“primary benefit.” 





"3 Peter G. Neumann, Computer-Related Risks, § 7.10, Risks in Risk Analysis, pp. 255-257(Addison- 
Wesley 1995). 

"4 Regulatory Evaluation at 126, supra note 18. 

"8 Id. at 127. 
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The annual risk that the U.S. faces with regard to a potential terrorist attack can be 
represented as the chance that an attack will successfully take place, multiplied by 
the consequences of that attack. This can be mathematically represented as []*K, 
where [] is the annual chance of a successful attack and K is the consequences of 
an attack in monetary terms. Homeland security measures such as REAL ID 
impact either the chance or consequences of a successful attack, or both. REAL 
ID is highly unlikely to impact the consequences of a successful attack, but it may 
impact, on the margin, the chance of a terrorist attack being attempted and 
succeeding. Let []B be this chance prior to the introduction of REAL ID, and DA 
be the chance after REAL ID comes into effect. Then the security impact of 
REAL ID in the course of one year can be measured in dollar terms as ([]B — 
TIA)*K.'"° 


So, DHS takes the probability of a successful terrorist attack without the REAL ID 
national identification system in place (OB) and subtracts the probability of a successful 
attack with REAL ID (QA); then they take the resulting number and multiply it by the 
cost to the United States of a successful terrorist attack. Understandably, DHS goes onto 
explain that such an evaluation is very difficult and full of uncertainty. 
Let the cost of the REAL ID regulation, which has been estimated, be C. Then for 
REAL ID to be fully justified on national security grounds alone, it must be the 
case that its benefit is at least as great as its costs. The annual risk-reduction benefit 
of Real ID is (I]B — [TA)*K, and the sum of this benefit over ten years must equal 
Real ID’s cost, C. If we can determine a dollar value for K, then we can measure 
the marginal impact that REAL ID must bring about on the probability of a 
successful terrorist attack on a federal target for it to be fully justified by its security 
benefit.'"” 
DHS is attempting to determine if ([]B — [JA)*K, which is the annual risk-reduction 
benefit of REAL ID, over 10 years, is at least equal to C, which is the cost of REAL ID, 
which DHS has set at — a discounted rate of — $17.2B. DHS goes on to explain that this 
formula is based on the assumption that another attack would affect us, in economic 


terms, the same as September 11, 2001. DHS estimates another attack would cost the 


United States either $63.9 billion (an estimate of the immediate impact incurred) or 





"6 Td. at 127. 
"Td. 
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$374.7B (an estimate of the immediate and longer run impact).''* Other assumptions: 


We assume that terrorist groups are seeking to inflict another attack with 
consequences on the order of magnitude of 9/11. We also assume that they are 
engaged in a campaign such that in every year during the 10-year period over which 
the costs and benefits of REAL ID are being evaluated, there is a positive and 
identical probability of being successfully attacked. Under this assumption, the 
expected present value of the consequences of the terrorist campaign against the 
U.S. homeland equals the sum of the expected values of consequences in each 
particular year over the 10-year period 2007-16: 


112007*K2007 + (1-0)*012008*K2008 + (1-0)2*012009*K2009 + .... 
+ (1-0)9*]]2016*K2016, 


where O is the discount rate and K is the monetary value of consequences in real 
2006 dollars. Because we assume that 0 and O do not change from year to year, 
this can be re-written as: 
II*K + (1-0)* []*K + (1-0)2* []*K + .... + (1-0)9* TT*K , 
or 
D*]1*K, where D equals {1 + (1-0) + (1-0)2 + .... + (1-0)9}. 
This expression is the sum of the expected discounted annual consequences of a 
terrorist campaign against the U.S. homeland over a ten-year period. As noted 
earlier, Real ID is anticipated to bring about a reduction in the annual probability of 
a successful attack from [TB — [JA, and the security benefit of Real ID over the ten- 
year period is therefore D*([]B — [TA)*K.'” 
The variable D represents the annual consequences of a terrorist campaign against the 
U.S. over a ten-year period. DHS multiplies D by [([]B — [JA) times K], which is the 
annual risk-reduction benefit of REAL ID. DHS then sets this equation equal to the 
direct cost of the REAL ID national ID system. By solving this equation, DHS hopes to 


find the marginal impact on security that the REAL ID system must have in order to 


break even. For “Real ID to break even with respect to cost and expected security 





"8 7d. at 127. 
" Regulatory Evaluation at 128-29, supra note 18. 
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benefits, it must be the case that D*([]B — [TA)*K = C, or [TB — [TA = C/(D*K).”"” So, 
to break even, we need [D*([]B — [TA)*K] to be equal to C, meaning that how much 
REAL ID will save us in economic terms must be equal to the cost of the REAL ID 
system. Or, stated another way, it must be that []B — []A, probability of a successful 
terrorist attack without the REAL ID national identification system in place (OB) minus 
the probability of a successful attack with REAL ID ([]A), is equal to C, cost of REAL 
ID system, divided by [D, annual consequences of a terrorist campaign against the U.S. 
over a ten-year period, multiplied by K, cost to the United States of a successful terrorist 
attack]. 

Here is where it gets tricky. Assuming the cost of REAL ID to be $17.2B and the 
cost of a successful 9/1 1-type terrorist attack to be $374.7 billion long-term, the value of 
C/D*K, in 2006 dollars, is 0.61%. Therefore, for “REAL ID to be fully justified by its 
primary security benefit, it must bring about a marginal reduction in the annual chance of 
a successful 9/1 1-type attack of 0.61%.”'*! If DHS only estimates the immediate impact, 
and assumes the cost of REAL ID to be $17.2 billion and the cost of the attack to be 
$63.9 billion, then the value of C/(D*K) is 3.60%. “For REAL ID to be fully justified by 
its primary security benefit in immediate impacts alone, it must bring about a marginal 
reduction in the annual chance of a successful 9/1 1-type attack of 3.60%.”"”” 

After all of these head-scratching mathematical assumptions, there is no conclusion, 
because, as DHS explains, “[w]ithout further information on the absolute level of OB [the 
probability of a successful terrorist attack without the REAL ID national identification 


system in place], it is difficult to say whether 0.61% or 3.60% is a very large reduction in 





20 Td, at 129. 
"Td. 
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the chance of successful attack, or a more moderate reduction.”'” Therefore, it is 
unknown, even with all of these assumptions, whether REAL ID would even marginally 
reduce the possibility of a successful terrorist attack, 

DHS acknowledges that certain assumptions are used in this analysis, such as 
assumptions for the variable K, the impact or the cost to the U.S. economy of a terrorist 
attack, which DHS assumes would be of the same magnitude as September 11, 2001. 
However, there is little discussion about the variable C, the cost of the REAL ID system. 
There are two ways in which the figures used by DHS are faulty: 1) they underestimate 
the direct costs and 2) they ignore the indirect costs. Such indirect costs include the 
impact upon civil liberties, increased risk of identity theft and fraud, and the diversion of 
funds from other, effective security programs.'™ Both faulty assumptions make the 
variable C smaller, while DHS has assumed a very large number for K, so the cost of the 
REAL ID system would seem dwarfed in comparison to the cost of another terrorist 
attack, making REAL ID seem cost-effective even if it only has a marginal effect on the 
probability of another attack — an effect REAL ID would not have. 

REAL ID does not add to our security protections, but in fact increases our security 
threats by diverting needed funds from other national security projects. The estimated 
cost of REAL ID implementation has spiraled. Before the Act’s passage in 2005, the 
Congressional Budget Office estimated its cost to be around $100 million.’ In 


September, the National Conference of State Legislatures released a report estimating the 





123 Iq. 

'24 See Identity Theft discussion, infra at Section X(c) (REAL ID increases risks for identity theft). 
"5 Cong. Budget Office, Cost Estimate: H.R. 418: REAL ID Act of 2005 (Feb. 9, 2005), available at 
http://www.cbo.gov/showdoc.cfm?index=6072&sequence=0&from=6. 
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cost to be $11 billion over the first five years.'° Now, the Department of Homeland 
Security has admitted that REAL ID will cost states and individuals from $17.2 billion to 
$23.1 billion over ten years.'*’ Congress has appropriated only $40 million for REAL ID 
implementation. The Department of Homeland Security now says that a state can use up 
to 20 percent of its Homeland Security Grant Program funding for REAL ID 
implementation, which total about $100 million for 2007.'* Implementation costs for the 
state of California alone would be about $500 million.'” 

Diverting Homeland Security Grant Program money to REAL ID means that 
funding originally budgeted by the states for other homeland security projects, including 
training and equipment for rescue and first responder personnel. Even if the states 
received $100 million per year for 10 years, that would still amount to only $1.04 billion 
in Federal funds, a fraction of the $17.2 billion to $23.1 billion price tag. The rest of the 
cost would be borne by states and their residents. 

B. Regulations Would Increase National Security Threats 
In a recent analysis of the REAL ID Act, EPIC Executive Director Marc 
Rotenberg explained that “[s]ystems of identification remain central to many forms of 
security. But designing secure systems that do not introduce new risks is proving more 


difficult than many policymakers had imagined.’ The theory that the REAL ID Act 





"6 Governors’ Analysis, supra note 46. 

"7 REAL ID Draft Regulations at 10,845, supra note 1. 

' Press Release, Dep’t of Homeland Sec., DHS Issues Proposal for States to Enhance Driver’s Licenses 
(Mar. 1, 2007), available at http://www.dhs.gov/xnews/releases/pr_1172765989904.shtm. 

" Cal. Dep’t of Motor Vehicles, Report to the Legislature on the Status of the REAL ID Act, at 3 (Dec. 15, 
2006), available at http://www.dmv.ca.gov/about/real_id/real_id.pdf. 

'° Mare Rotenberg, Exec. Dir., EPIC, Real ID, Real Trouble?, COMMUNICATIONS OF THE ACM, Mar. 
2006, available at http://www.epic.org/privacy/id_cards/mr_cacm0306.pdf. 
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will prevent terrorism is predicated on the belief that only “outsiders” have an intent to 
harm the United States. This theory is fundamentally flawed. 

Security expert Bruce Schneier has explained the theory of identification-based 
security. “In theory, if we know who you are, and if we have enough information about 
you, we can somehow predict whether you’re likely to be an evildoer,” Schneier said.'*! 
This is impossible, because you cannot predict intent based on identification, he said.'*? 
There are threats from both sides. Terrorist acts have been committed by U.S. citizens, 
“insiders.” Oklahoma City bombers Timothy McVeigh and Terry Nichols were U.S. 
citizens. As was Unabomber Ted Kaczynski. 

A recent case illustrates Schneier’s point. According to court documents, last 
month, two men entered restricted areas at an airport in Florida, bypassed security 
screeners and carried a duffel bag containing 14 guns and drugs onto a commercial 
plane.”'*’ They avoided detection, because they are airline baggage handlers who used 
their uniforms and legally issued identification cards.'** Both men had passed Federal 
background checks before they were hired, according to a spokesman for Comair, the 
airline that employed the men.'*’ This questions the assumption that more and broader 
background checks, such as those suggested in the draft regulations, would prevent 
insider attacks. There are other problems with the background checks, which will be 


discussed below.'** 





'S! Schneier Essay, supra note 110. 
"Id. 
"5 Jim Ellis, Feds: Bag Of Guns Smuggled Onto Plane, Associated Press, Mar. 9, 2007. 
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The baggage handlers were only investigated and caught after police received an 
anonymous tip.'*’ If the airport had identification-neutral security systems, such as 
requiring all fliers go through metal detectors, then the men could not have walked past 
them. But the identification-based security system failed because it allowed some fliers to 
skip screening because they are presumed to have no evil intent, and the men transported 
weapons and contraband aboard a commercial flight. Creating a national identification 
system would have just as devastating consequences, but on a larger scale, because many 
more people would be presumed “trusted” or “untrusted” based upon their decision to 


carry or not carry the REAL ID card. 


C. Even If Assumptions Granted, REAL ID Would Not Substantially Affect 
Identity Theft Crimes 


The draft regulations list reducing identity theft as one of the benefits of the 
REAL ID national identification system.'** However, the agency’s own economic 
analysis under its Regulatory Evaluation shows that, even if one grants DHS the 
economic assumptions it makes, overall identity theft crimes would only be reduced by 
2.8 percent, at best.'? 

First, it is important to note that the DHS Regulatory Evaluation does not list 
“Reduce Identity Theft” under any of the three categories of benefits — “monetized,” 
“annualized quantified, but unmonetized,” or “unquantifiable benefits” in the accounting 
statement for the draft regulations.'“’ Actually, the only benefit listed is under 


“unquantifiable benefits,” and that is the claim that REAL ID would “incremementally 


increase U.S. national security.” 





'7 Jim Ellis, Feds: Bag Of Guns Smuggled Onto Plane. 

'§ REAL ID Draft Regulations at10,837, 10,846, supra note 1. 
'° Regulatory Evaluation at 5, supra note 18. 

"0 Td. at 7. 
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Second, the Regulatory Evaluation later lists “reducing identity theft” as a 
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potential ancillary benefit.'*' The economic analysis explains that: 


REAL ID will only have the ability to impact those types of identity theft that 
require a drivers license for successful implementation, and only to the extent that 
the rulemaking leads to incidental and required use of REAL ID documents in 
everyday transactions, which is an impact that also depends critically on decisions 
made by State and local governments and the private sector.'* 
The potential ancillary benefit depends on a vast expansion of REAL ID uses from the 
three official purposes required in the draft regulations. The economic analysis assumes 
that REAL ID would be used in “everyday transactions,” which would have a devastating 
affect on identity theft protections.'** Setting aside that flawed assumption and focusing 
upon the economic analysis, there is little benefit to be found. If all of the agency’s 
assumptions are agreed to, including the belief that REAL ID cards would be used in 
everyday transactions, the Department of Homeland Security still finds that REAL ID 
would reduce by 10 percent only the 28 percent of ID theft crimes that “are likely to 
require the presentation of an identity document like a drivers license.”'** Therefore, the 
REAL ID national identification system will reduce only 2.8 percent of all identity theft 
crimes, a savings of approximately $1.6 billion total for the 2007-2016 period.'** The 
Department of Homeland Security has estimated that REAL ID would cost $23.1 billion 
for that period. Basic economic analysis finds that one ought not spend $23.1 billion to 


create a national identification system that might reduce the cost of identity theft crimes 


by $1.6 billion. 





'! Id, at 126, 129-30. 

"2 Td. at 130. 

‘3 See Identity Theft discussion, infra at Section X(c) (REAL ID increases risks of identity theft). 
' Regulatory Evaluation at 130, supra note 18. 

5 Id. 
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D. Centralized Identification System Increases Risk of Identity Theft 

The draft regulations create a national identification system with a national 
database, and this creates an enormous security risk. EPIC and others have explained that 
it decreases security to have a centralized system of identification, one ID card for many 
purposes, as there will be a substantial amount of harm when the card is compromised.'“° 

The REAL ID Act mandates that States provide every other state with electronic 
access to information contained in their motor vehicle databases and each State database 
must contain all data fields printed on driver’s licenses and ID cards, and driver’s 
histories, including motor vehicle violations, suspensions, and points on licenses.'*” Yet, 
DHS claims that a national database will not be created because the regulations “leave[] 
the decision of how to conduct the exchanges in the hands of the States.”'“* This 
mandatory “State-to-State data exchange” creates one huge national database containing 
the personal information of 245 million license and ID cardholders — a database that can 
be accessed at DMVs across the country. 

Using a national ID card would be as if you used one key to open your house, 
your car, your safe deposit box, your office, and more.'*’ “The problem is that security 
doesn’t come through identification; security comes through measures — airport 


screening, walls and door locks — that work without relying on identification”; therefore, 





‘6 EPIC Testimony at Maryland Senate, supra note 109; see EPIC, Comments to the Federal Identity Theft 
Task Force, P065410 (Jan. 19, 2007), available at 
http://www.epic.org/privacy/idtheft/EPIC_FTC_ID_Theft_Comments.pdf; EPIC page on Identity Theft: Its 
Causes and Solutions, available at http://www.epic.org/privacy/idtheft/. 

"7 Section 202(d)(12); (d)(13). 

‘8 REAL ID Draft Regulations at 10,825, supra note 1. 

'° Melissa Ngo, Dir., Identification & Surveillance Project, EPIC, Prepared Testimony and Statement for 
the Record at a Meeting on “REAL ID Rulemaking” Before the Data Privacy & Integrity Advisory Comm., 
Dep’t of Homeland Sec. (Apr. 14, 2007), available at 

http://www epic.org/privacy/id_cards/ngo_test_032107.pdf. 


Comments of EPIC 43 Department of Homeland Security 
REAL ID Docket No. DHS 2006-0030 


a centralized system of identification would not increase national security, security expert 
Bruce Schneier has said.'*” 

A large data breach affects the confidence and trust of the public. People will 
recoil from systems that create privacy and security risks for their personal data. We have 
seen countless data breaches that have left the personal data of tens of millions of 
Americans vulnerable to misuse. Recently, almost 46 million credit and debit card 
numbers were stolen by hackers who accessed the computer systems at the TJX 
Companies over a period of several years, making it the biggest breach of personal data 


ever reported.'*! 


The computer system breaches began in July 2005 but weren’t 
discovered until December 2006 — the financial data of millions were exposed for 17 
months.'** Last May, an information security breach by a Department of Veterans Affairs 
employee resulted in the theft from his Maryland home of unencrypted data affecting 
26.5 million veterans, active-duty personnel, and their family members.'* The laptop and 
an external hard drive contained unencrypted information that included millions of Social 
Security numbers, disability ratings and other personal information.’ In February 2005, 
databroker Choicepoint sold the records of at least 145,000 Americans to a criminal ring 
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engaged in identity theft. °° Also that year, Bank of America misplaced back-up tapes 





' Press Release, EPIC, After Long Delay, Homeland Security Department Issues Regulations For Flawed 
National ID Plan (Mar. 2, 2007), available at http://www.epic.org/press/030207.html. 

'S' TJX Cos., Annual Report (Form 10-K), at 8-10 (Mar. 28, 2007), available at 

http://ir. 1 kwizard.com/download.php?format=PDF &ipage=4772887 &source=487. 

'S? Id. at 7. 

'SS See EPIC’s Page on the Veterans Affairs Data Theft, http://www.epic.org/privacy/vatheft/. 

'S Statement, Dep’t of Veterans Affairs, A Statement from the Department of Veterans Affairs (May 22, 
2006). 

‘85 Robert O’ Harrow Jr., ID Theft Scam Hits D.C. Area Residents, Wash. Post, Feb. 21, 2005, at AO1; see 
EPIC’s Page on ChoicePoint, http://www epic.org/privacy/choicepoint/. 
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containing detailed financial information on 1,2 million employees in the Federal 
government, including many members of Congress.'*° 

A centralized identification system would be a tempting target for identity thieves. 
If a criminal breaks the system’s security, then the criminal would have access to the 
personal information of every single person in that database. If this one, centralized 
system is used across the nation, this would put hundreds of millions of people at risk for 
identity theft. 

There is another significant security risk, besides that of attacks by unauthorized 
users, and that is of authorized users abusing their power.'*’ A 2005 scandal in Florida 
highlights risks associated with large database systems. A woman wrote to a newspaper 
criticizing a Florida sheriff as being too fat for police work and condemning his agency’s 
use of stun guns,'** Orange County Sheriff Kevin Beary ordered staffers to use state 
driver’s license records to find the home address of his critic.'®? The sheriff sent her a 
letter at her home address, and she reported being surprised that he was able to track her 
down so easily.' In a case in Maryland just last year, three people — including a 
Maryland Motor Vehicle Administration official — were indicted on charges of 
“conspiring to sell unlawfully produced MVA-issued Maryland identification cards.”"°! 
The consumer harm that results from the wrongful disclosure of personal 


information is very clear. For the seventh year in a row, identity theft is the No. 1 concern 





'S° Robert Lemos, Bank of America loses a million customer records, CNet News.com, Feb. 25, 2005. 
'57 See Domestic Violence discussion, infra Section XI (abusers use their authorized access to stalk 
victims). 

'§ Called fat, sheriff tracks down reader, Associated Press, Apr. 6, 2005. 
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'*! Fake ID Cards, Wash. Post, Mar. 15, 2006, at BO2. 
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Over 


of U.S. consumers, according to the Federal Trade Commission’s annual report. 
104 million data records of U.S. residents have been exposed due to security breaches 
since January 2005, according to a report from the Privacy Rights Clearinghouse.'* A 
centralized system of identification creates a “one-stop shop” for identity thieves. 
Centralizing authority over personal identity into one database and one card increases 
both the risk of identity theft as well as the scope of harm when it occurs. The confidence 
and trust of consumers will fall when such a breach occurs; people will withdraw because 


of privacy and security questions. 


XI. REAL ID HARMS VICTIMS OF DOMESTIC VIOLENCE AND SEXUAL 
ASSAULT 


The REAL ID national identification system creates difficulties for many groups, 
and it has significant consequences for domestic violence and sexual assault victims.'* 
The residential address requirements endanger the ability of victims of domestic violence, 
sexual assault, and other crimes to hide from their abusers. The background check 
provisions set out in the draft regulations do not fully protect these victims from their 
abusers. In fact, the REAL ID system would help abusers find and track their victims 
across the nation. 

A. REAL ID Endangers Address Confidentiality 

Currently, many States allow domestic violence victims and others to protect the 

confidentiality of their residential addresses. States have created formal Address 


Confidentiality Programs and states have also provided general measures of residential 





‘© Fed. Trade Comm'n, Consumer Fraud and Identity Theft Compliant Data: January — December 2006 
(Feb. 7, 2007), available at http://www .consumer.gov/sentinel/pubs/Top10Fraud2006.pdf. 

'® Privacy Rights Clearinghouse, Chronology of Data Breaches, 

http://www. privacyrights.org/ar/ChronDataBreaches.htm. 

‘64 See EPIC’s Page on REAL ID and Domestic Violence, http://www.epic.org/privacy/dv/real_id.html. 
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address privacy. The proposed regulations override these substantial protections, and the 
overrides must be removed from the final regulations. The government must not make it 
easier for abusers to find their victims. 

State Address Confidentiality Programs are an important tool for protecting the 
safety of domestic violence and sexual assault victims. Currently 20 states have address 
confidentiality programs.'°° Generally, under such programs, domestic violence or sexual 
assault victims register with the secretary of State or their attorney general. The victim is 
provided an address with that State office, which forwards the mail received there to the 
enrollee’s residential address. This State office address is used in official correspondence 
with the State, though businesses are not usually required to use it. 


The REAL ID Act requires that driver’s licenses include a person’s “address of 
principal residence.”'® This requirement effectively destroys state address 
confidentiality programs. The recent Violence Against Women and Department of Justice 
Reauthorization Act (“VAWA”) included a requirement for DHS to “consider and 
address” the needs of certain groups when the agency is “developing regulations or 
guidance with regard to identification documents, including driver's licenses,”'®” These 
groups include domestic violence and sexual assault victims who are entitled to be 


enrolled in State address confidentiality programs; whose addresses are entitled to be 


suppressed via court order or State or Federal law; or whose information is protected 





'S See, Nat'l Conference of State Legislatures, States With Address Confidentiality Programs for Domestic 
Violence Survivors, http://www.ncsl.org/programs/cyf/dvsurvive.htm (listing 19 states, not including 
Maryland but including Illinois which is unfunded); See also, Maryland Safe At Home Address 
Confidentiality Program, http://www.sos.state.md.us/ACP/Information.htm. 

' Pub. L. No. 109-13, § 202(b)(6), 119 Stat, 231, 312 (2005). 

‘©? Pub. L. No. 109-162, § 827, 119 Stat. 2960, 3066 (2005). 
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from disclosure according to Section 384 of the Illegal Immigration Reform and 
Immigrant Responsibility Act 1996.'% 

In the draft regulations, DHS has not followed the VAWA requirement; instead, 
the agency has significantly reduced the protections afforded by these programs. The 
proposed regulations require that addresses of principal residence be placed on the face of 
the REAL ID card and include some exemptions from this requirement, such as one for 
those enrolled in Federal Witness Security Programs.'° The regulations also exempt 
those who are enrolled in State address confidentiality programs.'” This is not the same 
as creating an exemption for those who are “entitled to be enrolled in the programs, as 
stated under the Violence Against Women Act.” In its discussion of the proposed rule, 
DHS does propose to include an exemption for those who are “entitled to be enrolled” in 
state address confidentiality programs.'7! DHS must include this exemption in the final 
regulations. It cannot be that, as currently stated under the draft regulations, only those 
actually enrolled in State Address Confidentiality Programs would be exempted from the 
requirement to display their residential addresses on the face of the REAL ID card. Many 
domestic violence and sexual assault victims who are entitled to enroll in State Address 
Confidentiality Programs are not actually enrolled, for a variety of personal, safety and 
logistical reasons. They should not be punished for not actually enrolling in the program. 

In order to adequately “consider and address” the needs of those who are “entitled 
to be enrolled” in a State confidentiality program, DHS must permit States to allow those 


who are entitled to be, but are not in address confidentiality programs to be exempted 





‘68 Violence Against Women and Department of Justice Reauthorization Act of 2005, Pub. L. No. 109-162, 
§ 827, 119 Stat. 2960, 3066 (2005). 

‘© REAL ID Draft Regulations at 10854, supra note 1. 

' Td. at 10854. 

'' Id. at 10836. 
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from the address of principal residence requirement. DHS should allow individuals to 
affirm that they fear victimization and would benefit from address confidentiality. It 
would be problematic to burden State motor vehicle agencies with the determination of 
who is entitled to be enrolled in an address confidentiality program. States could rely on 
the affirmation, rather than making a determination of the merits of an individual’s need 
for confidentiality. This would close the gap between those domestic violence and sexual 
assault victims who are “entitled to be enrolled” and those who are actually enrolled in 
State Address Confidentiality Programs. 

Also, though the proposed rule exempts from the residential address requirement 
those whose addresses are “entitled to be suppressed under State or Federal law or 
suppressed by a court order,” this statement should be clarified to include States that 
generally allow individuals to display on licenses and ID cards an address other than their 
principal place of residence.'” Several States generally allow non-residential addresses to 
be on driver’s licenses. Currently, at least seven States permit an address other than a 
residential address to be listed on licenses or ID cards (California,!” Florida,!”* 
Montana,'’> New Mexico,'”° Oklahoma,'”” Wyoming,'” and Virginia'”). For example, 
under Virginia’s law, an applicant may choose to list a post office box, business or 


residential address.'*” The applicant is still required to provide their residential address 





'? REAL ID Draft Regulations at 10854, supra note 1. 
"8 Cal. Veh. Code § 12811(a)(1)(A). 

'* Fla. Stat. Ann. § 322.14(1)(a). 

"5 Mont. Code. Ann. § 61-5-I11. 

'7° NM. Stat. Ann. § 66-5-15 (1978). 

"7 Okla. Stat. Ann. tit. 47, § 6-111(A)(1). 

" Wyo. Stat. Ann. § 31-7-115(a)(iii). 

Va, Code Ann. § 46.2-342(A1). 
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for motor vehicle department records, but this residential address is not displayed on the 
license or ID card.'*! 

Domestic violence survivors, other crime victims, or those generally interested in 
protecting their privacy avail themselves of these State laws to keep their addresses 
confidential. These laws are the only way that survivors can protect themselves in States 
that do not have formal address confidentiality programs — four of those listed do not 
(Montana, New Mexico, Virginia and Wyoming). These general address privacy laws are 
also the only way that those who fear victimization, but who do not formally qualify for 
State Address Confidentiality programs, can protect themselves. 

Without this exemption allowing States to permit any individual to protect her 
privacy by listing a non-residential address, the victims of domestic violence and sexual 
abuse will also face the embarrassment of disclosing that they are victims anytime that 
their identification is shown. There are few exceptions from the residential address 
requirement, and anyone holding a REAL ID card without the residential address listed 


would immediately be placed into one of these few categories. 


B. National Database Threatens Security of Victims of Abuse Crimes 
The draft regulations require that States provide electronic access to their motor 


2 5 F 
'® Survivors who flee their abusers, 


vehicle database information to all other States. 
crossing into different states, will be exposed if their abuser breaches the security of any 
one of these interconnected databases. An abuser with an associate inside a State DMV, 


law enforcement, or other agency with access to the State records would be able to track 


a victim as the victim moves across the country. 





181 7g, 
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The danger of negligent and accidental disclosures is increased by REAL ID, as 
substantially more government employees will have access to all motor vehicle records 
nationwide. One example of accidental disclosure occurred in Wisconsin earlier this year 
-- a police officer disclosed a victim’s address, found in a DMV record to a stalker; the 
officer did not know that the victim had a restraining order against this.'®? This sort of 
inadvertence would happen much more frequently in a post-REAL ID world, as access to 
personal information is spread throughout the national identification system. Intentional 
breaches by outsiders or authorized insiders abusing their power would also have a wider 
scope. Past abuses exemplify what can be expected in a nationwide scale. For example, in 
Arizona, a police officer admitted to accessing motor vehicle records to find personal 
information on women he was romantically interested in, as well as co-workers.'* If 
REAL ID is implemented, abusers and insiders would have access to records throughout 


the country and would be able to track their victims no matter where they flee. 


C. Proposed Background Check Procedures Do Not Fully Protect Victims of 
Abuse Crimes 


DHS proposes that certain government employees be subject to criminal history 
background checks, with certain offenses disqualifying employees from specific jobs 
related to the REAL ID national identification system. '*° Covered employees would be 
limited to those who could affect the recording of information, the manufacture of REAL 
ID cards, or the information displayed on a card,'*° Employees who can access the record 


information without the ability to edit it are not subject to the background check 





'S’ Kevin Murphy, Officer's Actions will Cost 25,000, GAZETTEXTRA, Feb. 15, 2007, available at 
http://www.gazetteextra.com/mezera021507.asp. 

' Michael Kiefer, Officer Admits to Tampering; Databases Used to Check on Women, ARIZONA 
REPUBLIC, April 6, 2006, at B3. 

'SS REAL ID Draft Regulations at 10,855, supra note 1. 

'86 Td. at 10,856. 
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requirement. This massive loophole greatly increases the security and privacy risks of 
domestic violence and sexual abuse victims, as significant damage can be done by 
unauthorized data disclosure. In order to safeguard against these threats, the broad 
category of those who have access to records should be shrunk, rather than increasing the 
category of those who are covered by the background check requirement. 

The suitability criteria of the background check do not match the threat of stalkers 
and abusers. DHS proposes to use the permanent and interim disqualifying criteria in the 
Transportation Security Administration’s background checks for maritime and land 


transportation security at 49 C.F.R. 1572.103.'°” 


The offenses include espionage, 
sedition, treason, making bomb threats, and crimes involving transportation security 
incidents.'** Some of the offenses, such as fraud and misrepresentation -- including 
identity fraud -- are relevant to the risks of improper disclosure and access to the 
records.'*? However, crimes such as stalking, surveillance, harassment and domestic 
abuse are not in this list. These crimes must be added to the list of disqualifying offenses, 
so that the REAL ID system does not create a loophole permitting abusers access to a 
national database that would allow them to track their victims no matter where the 
victims moved. 
D. REAL ID Increases the Power Abusers Have Over Their Victims 

REAL ID’s stringent document requirements will place more power in the hands 

of abusers. Fleeing domestic violence or sexual abuse can be a sudden and dramatic step. 


Victims’ advocates often counsel their clients to prepare “safety plans,” which include 





"87 Td. at 10,856. 
' 49 C.F.R. 1572.103(a). 
189 Td. at 1572.103(b)(2)(iii). 
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gathering key documents such as passports, visas, and birth certificates. '°° The proposed 
regulations limit the types of documents that can be used to prove identity, which create 
problems for many groups, including abuse victims.'”' The draft regulations permit 
exceptions for those who do not have the required documents “for reasons beyond their 
control.”!”? The exception requires that the records “visibly indicate” that alternative 
documentation was accepted and that a “full explanation” of the reason be included in the 
record.'®> Thus victims will face the embarrassment of having intimate details of the 
abuse they have suffered included in a national database accessible to thousands of 
government employees across the nation. The “for reasons beyond their control” 
exception must specifically include abuse victims, so that they may not be punished for 
leaving their abusers. The visible indication and “full explanation” included in the 
records should be limited to the statement that alternative documents were accepted “for 
reasons of personal safety,” so that victims need not expose the history of their abuse to 
anyone who could view their DMV records. 

Another problem is that this “for reasons beyond their control” exception does not 
apply to those who must demonstrate lawful immigration status.'°* Under the draft 
regulations, the demonstration of lawful status would require documents that an abuser 
would likely have control over. Abusers of immigrants who are able to control their 


victims immigration documents will be able to control the victim’s ability to obtain a 





'° E.g., Oakland County Coordinating Council Against Domestic Violence, Domestic Violence Handbook 
~ Personalized Safety Plan, at http://www.domesticviolence.org/plan.html (last ted Mar. 30, 2007) 
(“Items to take, if possible. . . Birth Certificates . . . Social security cards . . . Passports, green cards, work 
permits”). 

'" REAL ID Draft Regulations at 10,852, supra note 1; see Data Verification discussion, supra Section VI 
(general problems with the standards). 

' REAL ID Draft Regulations at 10,852, supra note 1. 
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REAL ID card or license. The “for reasons beyond their control” exception must be 
extended to those victims who must prove lawful immigration status, so that the abusers 
cannot use these documents to trap their victims into staying in abusive situations. The 
exception permitting those who do not have access to documents to use alternative 
documentation should be extended to the proof of lawful immigration status. Here, also, 
the visible indication and “full explanation” included in the victims’ DMV records should 
be limited to the statement that alternative documents were accepted “for reasons of 
personal safety,” so that victims need not expose the history of their abuse to anyone and 
everyone who could view their DMV records. 

XII. METASYSTEM OF IDENTIFICATION IS BETTER CHOICE 

Once personal data has fallen into the hands of an identity thief, the potential for 
its misuse is proportionate to the extent that the information can be used for illegitimate 
authentication. We have already explained why a universal identifier will not improve 
security. Rather than promoting the use of universal identifiers, EPIC advocates the 
distribution of identity or an identity metasystem in which authentication is confined to 
specific contexts in order to limit the scope for potential misuse. The danger of a single 
identifier is that the harm will be magnified when it is compromised. 

A system of distributed identification reduces the risks associated with security 
breaches and the misuse of personal information. For example, a banking PIN number, in 
conjunction with a bank card, provides a better authentication system because it is not 
coupled with a single, immutable consumer identity. If a bank card and PIN combination 
is compromised, a new bank card and PIN number can be issued and the old combination 


cancelled, limiting the damage done by the compromised data. Drawbacks of such 


Comments of EPIC 54 Department of Homeland Security 
REAL ID Docket No. DHS 2006-0030 


structures, including the possibility for the existence of multiple cards, are currently being 
addressed by the creation of an identity metasystem in which multiple identities can be 
loosely coupled within a single secure system." 

Distributing identity in this way allows for different profiles to be used in 
different authenticating contexts. New profiles can be created as required within a single 
identity metasystem. Misuse is therefore limited to the context of the information 
breached, whether it is a single bank account, online merchant, or medical records. 

Possibilities for data misuse can also be limited at the data collection stage. EPIC 
has previously called attention to the need for Web sites to stop storing customer credit 
card information.'”° Amassing large databases of credit card numbers creates an attractive 
target for potential identity thieves. Creating a national ID card under REAL ID also 
creates an attractive target for potential identity thieves — imagine having access to digital 
copies of “breeder” documents, such as certified birth certificates and SSN cards. 

First and foremost, the best response is not to create a centralized identification 
system such as the one realized under REAL ID. Another simple response to identity 
theft is to require a PIN to be used in conjunction with all identification cards. A third 
response is to forbid third-party collection or storage of data from identification cards. An 
identity metasystem would further reduce the value of such aggregated database targets, 
because authenticators would be separate and distinct from all personally identifiable 
information. 

Finally, technological measures can be used to improve the reliability of 


authentication while respecting consumer privacy. International research efforts are 





'°S Kim Cameron, The Laws of Identity, Identity Weblog, Dec. 9, 2004, 
http://www identityblog.com/stories/2004/12/09/thelaws.html. 
'6 See EPIC’s Page on Identity Theft: Causes and Solutions, http://www.epic.org/privacy/idtheft/. 
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currently underway to create authentication systems that preserve anonymity, and include 
the development of new privacy enhancing technologies for use in such schemes.'*” 
These privacy enhancing technologies allow for the separation of authentication and 
identification and are being deployed in response to security vulnerabilities. Such 
technologies may plug in to identity metasystems, such as Microsoft’s CardSpace. While 
the default settings of CardSpace do not currently meet recognized standards for privacy 
preservation,'”* this model should be studied in detail.'” 
XIII. IMPLEMENTATION JUST NOT POSSIBLE UNDER CURRENT TIMELINE 

Two years after Congress rushed through passage of the REAL ID Act, the 
Department of Homeland Security announced on March 1 proposed regulations to create 
the REAL ID national identification system. The draft regulations were released about 14 
months before the May 2008 implementation deadline. After enormous criticism from the 
public and the States, DHS extended the deadline, but not by much. 

Comments on the draft regulations are due by May 8. DHS says it will review the 
public comments and take them into consideration for the final regulations, the release of 


which is expected in August or September.” In the draft regulations, DHS says it 





'"” See, e.g., Carlisle Adams, Delegation and Proxy Services in Digital Credential Environments, Presented 
at the 7th Annual Privacy and Security Workshop, Your Identity Please: Identity Theft and Identity 
Management in the 21st Century (Nov. 2, 2006), available at 

http://www .idtrail.org/files/cacrwkshpdigcred02nov06.pdf; Stefan Brands, Non-Intrusive Cross-Domain 
Digital Identity Management, Presented at Proceedings of the 3rd Annual PKI R&D Workshop (Apr. 
2004), available at http://www. idtrail.org/files/cross_domain_identity.pdf; David Chaum, Secret-Ballot 
Receipts: True Voter-Verifiable Elections, Presented at ITL Seminar Series, Secret-Ballot Receipts: True 
Voter-Verifiable Elections, Nat’| Inst. of Standards & Tech. (May 19, 2004); Paul Van Oorschot and S. 
Stubblebine, Countering Identity Theft through Digital Uniqueness, Location Cross-Checking, and 
Funneling, Fin. Cryptography & Data Sec. (2005), available at 
http://www.scs.carleton.ca/~paulv/papers/pvoss6- pdf. 

'® Stefan Brands, User centric identity: boon or worst nightmare to privacy?, Identity Corner, Nov. 17, 
2006, http://www.idcorner.org/?p=142. 

199 See generally, NAT’L RESEARCH COUNCIL, WHO GOES THERE? AUTHENTICATION THROUGH THE LENS 
OF PRIVACY (Nat'l Academies 2003). 

2° DHS Testimony at REAL ID Hearing, supra note 11. 
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